Re: pam_chauthok and froozen chain problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2009-02-02 at 14:50 +0100, Thorsten Kukuk wrote:
> On Mon, Feb 02, Thorsten Kukuk wrote:
> 
> > Hi,
> > 
> > since Linux-PAM 0.75/0.76 we use a froozen chain for
> > pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
> > 
> > With pam_setcred and pam_session I have no problems, there it is
> > correct. 
> > But I got now bug reports because of pam_chauthtok, and I see a
> > real problem there:
> > 
> > Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
> > if you try to update an password. As result, "requisite" will be
> > handled as "required" and the control flow will not return to the
> > application in a failure, but the following module on the stack
> > will called.
> > 
> > But reverting that change for pam_chauthok means breaking
> > "sufficient".
> > 
> > 
> > I see now several solutions:
> > 
> > 1. Ignore the problem and document that "requisite" will not
> >    work as expected in most cases for password changes.
> > 
> > 2. Revert that change and document, that PAM_PRELIM_CHECK
> >    after "sufficient" modules will not run, but that the
> >    module still could be called for PAM_CHAUTHTOK.
> > 
> > 3. Always run all modules with "PAM_PRELIM_CHECK" and 
> >    ignore "sufficient" and "requisite".
> 
> 4. What other PAM implementations are doing:
>    - No froozen chain for pam_chauthtok
>    - Treat "sufficient" as "optional" in case
>      PAM_PRELIM_CHECK is set.
>  
> > Any ideas/opinions/other choices?
> > 
> > Currently I tend to option 3).
> 
> My new favorite is option 4).

That seems to me as the best option as well but I'd like to see opinions
from other PAM developers.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux