[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does pam_env.so work?


You have a fairly good working relationship with the Solaris PAM.  How
does this sort of thing play out with Solaris?  I'm curious whether they
implemented the credential stack to automatically reproduce the flow
followed by the (earlier) authentication stack, or whether it follows
the flow as determined by the return codes of the credential components
to these modules (as Linux-PAM does).

[Derrick and co. submitted some patches to force pam_unix and pam_pwdb
modules to do the sane thing here.  I'll have included these changes in
the next Linux-PAM release, but my tree is currently in transition (read
broken) with some event-driven stuff so unless I break the distribution
into a separate module dist, I think it will be a month before this code
sees the light of day..]

[Seth, in case you missed it, the important difference between the case
where pam_env comes before and after the pam_unix module, is the fact
that pam_unix is 'sufficient' as opposed to 'required'.]



Derrick J Brashear wrote:
> On Thu, 5 Nov 1998, Seth Chaiklin wrote:
> > On Wed, 4 Nov 1998, Andrew Morgan wrote:
> >
> > > Seth Chaiklin wrote:
> > > > auth       required   pam_nologin.so
> > > > auth       required   pam_securetty.so
> > > > auth       sufficient pam_unix_auth.so
> > > > auth       required   pam_nw_auth.so PSY
> > > > auth       required   pam_env.so debug
> > >
> > > What happens if you place the pam_env before the pam_unix line?
> >
> > Then it works with the login from SimplePAMApps, but not with
> > the login from util-linux (which Derrick Brashear already explained).
> >
> > When I first moved pam_env.so to after the other auth lines,
> > I thought, will this make any difference, naa, they are all
> > auth lines, and it has nothing to do with password checking,
> > and it is probably better to set environment variables
> > after the authentication.  Why was that bad logic?
> Easy. pam_env (presumably) sets variables in the set_cred step. The unix
> set_cred is sufficient (and succeeds) and so the pam_env one never gets
> hit..
> -D
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []