[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LSB PAM Testsuite/questions about behavior



Hi Thorsten,

On Thu, Dec 11, 2003 at 09:18:49AM +0100, Thorsten Kukuk wrote:

> The LSB wrote a test suite for PAM. After looking at the results,
> I have some questions about the PAM specification, where I couldn't
> find anything:

> 1. The PAM specefication describes the PAM_MAXTRIES error code, but
> not when it should be used. Does a module needs to return PAM_MAXTRIES
> at some time?

This seems to be entirely up to the module writer.  PAM_MAXTRIES seems
to be allowed, if a module's authentication retry limit is exceeded.  It
has always seemed under-specified to me, because of the potential
interactions between per-module and per-application retry limits.

> 2. If I call pam_authenticate with a unknown user, should the Module
> return PAM_AUTHINFO_UNAVAIL or PAM_USER_UNKNOWN?
> As far as I understand the documentation, PAM_AUTHINFO_UNAVAIL should
> be returned if there are network or hardware problems, but not if the
> user is unknown to the system.

This agrees with my understanding: PAM_AUTHINFO_UNAVAIL means the module
failed to verify the user, whereas PAM_USER_UNKNOWN means the user is
known to not exist.

> 3. Calling pam_chauthtok and the users enters the correct old
> password, but aborts on typing the new one, should a PAM module
> return PAM_AUTHTOK_RECOVER_ERR (I think this is wrong, since we
> got the old token) or PAM_AUTHTOK_ERR?

This sounds like PAM_AUTHTOK_ERR to me.

Cheers,
-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]