[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: password-changing HOWTO?



> > Idea for "login" skeleton
> > 	get username/passwd
> > 	pam_authenticate()
> > 		In here, if passwd has expired, prompt for new one - 
> > 		only when the new passwd is approved do we return 
> > 		success (unless root, in which case we warn)
> > 	if success login, if not dump em back out.

just one thing you should consider.
it's probably not a good idea for the app (login) to prompt for
a username/passwd.  let the module handle this.  the reason is that
if, in the future, you implement a smartcard module the login app
would prompt:  "Login:"

when you really need a different prompt like:  "Please insert your card."
only the module knows what the proper prompt should be.

also, the same goes for the password.  we don't want the app
to prompt:  "Enter Password:"
when the module wants to read in some biometric info (fingerprint).

> > Idea for "passwd" skeleton
> > 	pam_authenticate() (skipped if root?)
> > 	change passwd
> 
> So should the password *module* be doing the authenticate, or should the
> passwd *program*?

neither the passwd application nor the passwd module should call
pam_authenticate.  the authentication stack is not guaranteed to be
the same as the password stack.  hence, why make a user authenticate
to each module in the auth stack, when s/he only wants to change
the passwords in the password stack?

also, why should a user authenticate to a kerberos module when they
are changing their unix password?

each password module should authenticate the user by itself WITHOUT calling
pam_authenticate.  a unix password module should prompt for just
the unix password.  a kerberos password module should prompt for
just the kerberos password.

charlie



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []