This issue was raised a couple of times this spring without response. I would like to know, if there is more than one path for authorization in the PAM stack, which one actually succeeded. For example, say I have a PAM configuration file like this: auth sufficient pam_first.so auth sufficient pam_second.so acct sufficient pam_first.so acct sufficient pam_second.so The behavior I want is: whichever module succeeds for authorization, use the same module when the application makes an accouting request. The module pam_tacplus.so is "well-behaved" in this regard, in that acct will not succeed unless auth already did. pam_radius_auth.so however, at least in my configuration, it is happy to succeed in the acct request after a different module handled the auth request, which breaks my scheme. If it is not possible to get this behavior from PAM out of the box, would it make sense to write a custom PAM module to handle this logic? That is, my module would internally call pam_authenticate() / pam_acct_mgmt() on other PAM services, according to my specifications. With reference to the original posts on this topic: right now I would be if my application could figure out whether it was pam_first.so or pam_second.so which succeeded, perhaps via pam_get_item() https://www.redhat.com/archives/pam-list/2008-June/msg00000.html https://www.redhat.com/archives/pam-list/2008-May/msg00003.html _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
