[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 2nd Qs: proposed description of new pam_unix



Steve Langasek wrote:
> 
[]
> > 1. Re-check the old password when doing the UPDATE, at least in the
> > case when PAM_PRELIM_CHECK wasn't done.
> 
> This should never happen.  The module's pam_sm_chauthtok() function is called
> twice by the PAM library, first with PAM_PRELIM_CHECK set, then with
> PAM_UPDATE_AUTHTOK.  I believe this is already well documented in the PAM
> specs.  Any implementation of libpam that doesn't call pam_sm_chauthtok() this
> way is seriously broken.

That's ok, but issue is not here.  Issue is in stacking with other
modules, and with some other (less-common) things.
chauthtok() called twice, and this is not a question.  But the real
question is -- will it be called with UPDATE_AUTHTOK if it returned
error when called with PRELIM_CHECK set earlier?  This can happen
if that module was declared "sufficient" while other module (that
did authenticated user) as "required"/"sufficient".  In the other
hand, other modules can change authtok on its own (due to even
admin mistake), so things will be more "interesting".
Also (less-common) thing is a locking.  It is bad idea to lock
passwd database(s) during all passwd stack work (I said this
earlier already).  And so, after verifying current passwd, there
is a chance to have it already updated (by someone else?! :)
when we will try to update it at the end.  So, this checking
of old passwd compared to system's one _when updating it_ is
useful here too.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []