-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russ Allbery wrote: > decoder <decoder@xxxxxxxxxxxx> writes: > >> Basically he says that you should change your module to do the >> policy check in the first phase (the preliminary check phase) > > This is not possible to do in Kerberos. There's no separate API > call to verify a password without changing it. > > Long-standing behavior or not, I still think this is a bug in PAM. > If I specify that one password change module should not be called > if another fails, the *reasons* for the failure are not of interest > to me. Even if it's a network failure at the last step, it should > still fail the rest of the stack. I don't know why that wouldn't > be possible. I definetly agree with you there, any other behavior is just illogical and not useful either. I hope the PAM people agree on this and change the behavior. Best regards, Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHEoumJQIKXnJyDxURAr1JAJ9PxLs1ZOjVfEF+tmVfX9sezLkeagCfXXf6 Hinsicc9vdr5L17kCFAB9aM= =gvOr -----END PGP SIGNATURE----- _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
