Hi, since Linux-PAM 0.75/0.76 we use a froozen chain for pam_setcred, pam_chauthtok and pam_open_session/pam_close_session. With pam_setcred and pam_session I have no problems, there it is correct. But I got now bug reports because of pam_chauthtok, and I see a real problem there: Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK if you try to update an password. As result, "requisite" will be handled as "required" and the control flow will not return to the application in a failure, but the following module on the stack will called. But reverting that change for pam_chauthok means breaking "sufficient". I see now several solutions: 1. Ignore the problem and document that "requisite" will not work as expected in most cases for password changes. 2. Revert that change and document, that PAM_PRELIM_CHECK after "sufficient" modules will not run, but that the module still could be called for PAM_CHAUTHTOK. 3. Always run all modules with "PAM_PRELIM_CHECK" and ignore "sufficient" and "requisite". Any ideas/opinions/other choices? Currently I tend to option 3). Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
