[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM_PRELIM_CHECK && pam_krb5

Kerberos 1.2.2
Frank Cusack's pam_krb5 module

I have a question regarding proper behaviour of pam_chauthtok 

my service config looks like the following:

passwd    requisite    pam_krb5.so
passwd    required     pam_shadow_update.so

what's happening is this, i run /usr/bin/passwd, i key in an
invalid password,  pam_krb5 does not update my password,
but any stacked modules are still run even though i've set
pam_krb5 to requisite (exit on failure, right?)

Now, I think I understand what's going on, so here goes,
correct me if my understanding of the calling order is wrong...

pam_chauthok is called initially with flags|PAM_PRELIM_CHECK
(presumably this is to allow the module a chance to verify everything
before actually doing the commit)

	1.  Are all modules called with PAM_PRELIM then called a second time
	    with PAM_UPDATE?

	2.  What should I return if my modules doesn't want to worry about

	3.  Is (2) even valid?  or am I not following PAM's rules?

pam_chauthtok is then called a second time with flags|PAM_UPDATE_AUTHTOK 

looking through pam_dispatch.c [~ line 285]  it seems that when
is called with PAM_UPDATE_AUTHTOK set, use_cached_chain gets set to 1
then, in _pam_dispatch_aux() [~ line 102] the cached return value gets used
instead of the actual return code (from the second call) ... is this really
the desired
behaviour?  are we assuming that the second call cannot fail because the
check didn't?  this seems wrong to me...

BTW, Frank's module doesn't implement PRELIM, so I'm trying to figure out
best way to fix this with the least amount of work...if the answer is that
i'll need to
implement PRELIM checking, so be it...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []