[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: use_authtok -- what purpose?



On Tue, 4 Apr 2000, Michael Tokarev wrote:

> Hello!

> I'm now in process of writing a module that, like pam_cracklib, checks
> user's password for "goodness" (actually, I want to fix many small bugs
> in pam_cracklib -- and make it available, ofcource).  And I found (a sort of)
> bug in pam_cracklib in usage of use_authtok parameter.  And here is question:
> what we should do if:
>   use_authtok is set to yes
>   but pam_get_item(PAM_AUTHTOK) returns error or empty (or NULL) password ?

> I see two choices, namely, just return error (PAM_AUTHTOK_RECOVER_ERR?), or,
> alternatively, ask user as if use_authtok was not set.  What should be done?
 
It's not clear to me that one way is better than the other.  With
try_first_pass vs. use_first_pass, there's a clear difference: the first means
to ask the user, the second means to return an error.  use_authtok is more
ambiguous, but I think existing modules that honor use_authtok use it to mean
"return an error if the previous module didn't give us an authentication
token."  Without the use_authtok option, they will use an authentication token
if it's there, and prompt the user if it isn't.

HTH,
Steve Langasek
postmodern programmer



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []