If anyone can give me any insight as to how to avoid the need to the session hook I'd be gratful.
If you look at the pam_tally module - it actually works similarly. However it uses account phase for that instead. The problem is that some applications can theoretically avoid to use the session phase if they don't create a session. Maybe you could call this functionality from pam_sm_acct_mgmt too and leave it on the user to which phase he wants to put it.
Ah yes - that sounds more sensible, thanks.
There is probably no way how to avoid the session hook. You could also use cleanup function on pam module data because this function has parameter with the final success/failure code, but it's called after the session is closed and the program can exit (due to program's error or kill) and don't call pam_end before that.
Ah, the cleanup hook. I think that would do the trick thanks. I don't think the case where the program dies without the cleanup happening is too much of a problem for me so that could be the answer, thanks.
I'll make some changes to the code and run the tests again and then make a release. Thanks for the help.
-- Andy Armstrong
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
