pam-list-request@xxxxxxxxxx wrote: > Subject: > Cancel running only one module > From: > "Josef Hajas" <josef@xxxxxxxxx> > Date: > Tue, 28 Nov 2006 18:02:17 +0100 > To: > pam-list@xxxxxxxxxx > > To: > pam-list@xxxxxxxxxx > > > Hello, > I'm implementing pam_bioapi (for using my fingerprint reader) and I > want to implement possibility to cancel running biometrics operation. > Let's say I have this config: > auth sufficient pam_bioapi.so [+some parameters] > auth required pam_unix.so > > and I would like have some cancel button in application (for example > in gnome-screensaver) which cancel only authenticate of pam_bioapi but > still try to authenticate by pam_unix. Is there some standard way how > to achive this? I had an idea to use pam_conv and return error, but I > can't be sure that some pam_conv come after user press cancel. I need > something I can call from application since pam_authenticate() > running. > Josef, as far as i understand you, you want to cancel one specific PAM module's operation without effect to the other ones. IMHO 'cancel' means to PAM: the user refuses to authenticate. The correct behavior to this action would be to return an error to pam_conv. With the above priority-stacking (sufficient pam_bioapi, then required pam_unix) you should get along quite fine. Your problem is the altenate user dialogue, because pam_bioapi wouldn't ask for a user name or a password, but pam_unix needs this. So, be sure pam_bioapi clears out 'user' via an empty pam_set_item(). Because a authentication token wasn't set by pam_bioapi AND no argument 'use_first_pass' in pam_unix, the latter should start a complete new authentication dialogue. To be sure what's going on, switch on debugging in pam_unix and trace your /var/log/auth.log. Regards, Andreas -- Dr.-Ing. Andreas Schindler Alpha Zero One Computersysteme GmbH Frankfurter Str. 141 63303 Dreieich Telefon 06103-57187-21 Telefax 06103-373245 schindler@xxxxxx www.az1.de _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
