[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_session bug?

On Mon, May 18, 1998 at 09:32:32AM -0400, Derrick J Brashear wrote:
> On Mon, 18 May 1998, Savochkin Andrey Vladimirovich wrote:
> > Do people agree on it?
> > 
> > Derrick, could you explain what you expect from an application
> > concerning pam_setcred and pam_authenticate?
> I use pam_authenticate in the kerberos module to check a password. it
> doesn't write out a ticket file, because it's only authenticating, not
> setting credentials. actually, it does write one out, but it's
> immediaately sucked into a pam variable and nuked. *if* the setcred half
> of the kerberos module is called, this is written back out. there seems to
> be little point is creating unnecessary load on the kerberos kdc to
> re-request the ticket when the original, which you need to get to
> authenticate anyhow, already got one, but given that pam_authenticate's
> job isn't to set credentials, i don't feel "correct" in leaving that
> ticket file around. Maybe there's something I'm missing, but this seems
> intuitive to me. 

My experience shows that placing auth() and setcred() calls in the same kind
is a fairly strong requirement.
I don't want to claim that applications MUST consider
the calls as of the same kind.
My suggestion is to mark the requirement you want under "MAY" so your
module should be able to work in any case.
Will it make a sense?

> > Sorry, it's not clear for me what behavior of 'init' is spoken about.
> login does open_session and exits. later, when you log out, init comes by
> and does close_session.

Thank you for the clarification.

In my opinion the correct behavior would be if login
waited for the child and closed the session itself.
My text reflects my opinion.

> > If pam_close_session() were called from the different application
> > how it would be possible to pass to the call the same pamh handle?
> therein lies the rub.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []