[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM and /bin/login, acct_mgmt() vs authenticate()

On Fri, Aug 18, 2000 at 04:36:34PM -0400, Nicolas Williams wrote:
> On Fri, Aug 18, 2000 at 04:09:48PM -0400, Nalin Dahyabhai wrote:
> > You can't pam_end() before the shell starts, because you have to call
> > pam_setcred(PAM_DELETE_CREDS) and pam_close_session() before you do
> > that.  For this to work, login forks, handles the last two steps, and
> > the parent takes care of a proper PAM shutdown when its child exits.
> Hmmm. Well, that's not how Solaris 2.6 does it.
> There seems to be an assumption that you can call pam_end() without
> calling pam_close_session() and that later you can call pam_start()
> again, use pam_set_item to set the relevant items (user, ruser, rhost,
> tty) and then call pam_close_session() and pam_end().

In fact, telnetd et. al. on Solaris only set the PAM_TTY and PAM_RHOST
items before calling pam_close_session().

> I think this is fine, provided that PAM, or, rather, the various PAM
> modules can retrieve the necessary state given just those items.
> So, on Solaris, pam_close_session() is called by telnetd and friends,
> not by /bin/login.

I kind of like this ability to use those items to retrieve state and
close the session later. As long as it works...

> > Nalin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []