On Sun, Jul 30, Daniel Richard G. wrote: > * Instead of directly exec'ing a named program, the module invokes a > /bin/sh command string, for greater flexibility. Which flexibility should this give? > * Is the syslog interaction properly following convention? I noticed an > inconsistency in the formatting of syslog messages between pam_exec and > pam_unix (both invoked from sshd)... > > Jul 7 15:12:53 bassoon pam_exec[28567]: Command exited with status 0 > Jul 7 15:12:53 bassoon sshd[28567]: (pam_unix) session opened for > user skunk by (uid=0) > > ...but am uncertain of how things ought to be done here. The pam_exec line is from a pam_exec implementation calling openlog/closelog. This is very bad. You loose the information, which application called pam_exec, you destroy the syslog options of the main applications and you will get problems with threaded applications. The pam_unix one looks more correct. You should always use pam_syslog. We will not accpet self written logging functions again in Linux-PAM, we are happy that all are replaced with pam_*() functions now. > * The module will accept the following options, but I'm not sure what > exactly it should do (if anything) with them: > > expose_account > try_first_pass > use_first_pass > use_mapped_pass We don't need them at all. > * I'm a bit unclear on how pam_fail_delay() is supposed to work. Is the > manner in which I handled it---and described it in the documentation---at > all incorrect? You should not call pam_fail_delay() from a module. The application has to set it. Else you will overwrite defaults which the sysadmin set. > Attached is a patch against current CVS to pam_exec.c and pam_exec.8.xml. > It is gzipped, owing to its size. I would prefer to handle such large changes like the kernel developers do: A lot of small patches for every new functionality, so that it is possible to review and discuss every change and not one very big patch. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@xxxxxxx SUSE LINUX Products GmbH Maxfeldstr. 5 D-90409 Nuernberg -------------------------------------------------------------------- Key fingerprint = 8C6B FD92 EE0F 42ED F91A 6A73 6D1A 7F05 2E59 24BB _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
