[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Missing prompt item in PAM



Andrew Morgan writes:
>Environment variables supply a channel for doing 'dynamic' things like
>this. To propagate info like this, they require a convention to be
>adhered to between a module and an application. They are also advisory.
>They don't require that we teach libpam about passwords.

If environment variables are sufficient, why have pam_item's at all?
This is strongly parallel to PAM_USER_PROMPT.  Why make it go through
another channel?

If you insist on making it go through an environment variable, it
*still* should be set as a policy item in the Linux-PAM documentation
precisely how it is to be interpreted.  Using an environment variable
encourages environment pollution/destruction as well.  Using a pam_item
instead keeps the information contained where it belongs.

I think that refusing to create PAM_PASSWORD_PROMPT is encouraging
hackish workarounds.  Mangling conversation function data is a hack.
Setting environment variables without regard to child processes
(who knows what other use any particular environment string will
have, and what data we will wipe out?) is hackish.  Creating
PAM_PASSWORD_PROMPT is clean, easy to specify, will not collide
with anything else.  Why are you so set against it?

As I said, I've already hacked around it.  Switching to another
hack is highly uninteresting.  By contrast, doing it cleanly is
interesting, at least to me.

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []