[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: use_authtok -- what purpose?

Andrew Morgan wrote:
> >
> > I see two choices, namely, just return error (PAM_AUTHTOK_RECOVER_ERR?), or,
> > alternatively, ask user as if use_authtok was not set.  What should be done?
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html

Uh, already read this, and (as stated by Steve) that's ok -- use_first_pass,
try_first_pass.  But not use_authtok that is (again, Steve) not clean.

But here is more generic issue.
There are many places where passwords can be stored (/etc/{passwd,shadow},
.db file, sql database, even remote machine - e.g. NT (!) SAM database etc etc),
and we need to be shure that user chooses good password regardless on where it
is stored actually.  And module like pam_cracklib is ok for this purpose.
So I think we should have one "asking" module (pam_cracklib for example),
that asks the password and enshures that it is good enouth, and many other
modules that can be stacked "on top of it" to store password.
Also, one good candidate for module is "pam_saveoldpass" that should be stacked
on top of password storing module and should do the work that pam_unix currently
does -- store old password in, say, /etc/opasswd, and should be used in conjunction
with (again) the first "asking" module.
With the current situation, there are a lot of password checking spread across
pam_pwdb, pam_unix etc, and all of them uses different approaches.

Hence, for pam_cracklib-like module, is it even ok to have use_first_pass or
use_authtok at all?!  Try_first_pass sounds good, but the rest is not clean
to me. Especially if we have no mechanism of "popping" back modules (module
"stack"), i.e. we have no ability to "recall" previous module...

> Cheers
> Andrew


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []