[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: (no subject)


On Fri, 20 Jul 2001, Chris Riley wrote:

> Is it possible for a module to give the application more information about
> an authentication?

> I'm using pam_krb5 and I want to be able to distinguish between someone
> failing authentication because of a bad password and failing because the
> clocks are out of sync. It's not feasible to run something to synchronize
> the clocks at this time. But it would be great if PAM could somehow tell
> the application how the failure happens.

> At the moment pam_krb5 just returns PAM_AUTH_FAIL to PAM. Is there some
> way to pass along extra information that could be returned to the
> application?

Clearly, PAM doesn't have a failure code that corresponds to the Kerberos
'clocks are out of sync' condition.  The two other ways available for PAM
modules to return status information are PAM_INFO/PAM_ERROR messages sent
using the PAM conversation function, and log messages recorded using syslog or
an equivalent service.  Which you would use depends on who you want to see the

Attempting to base your system authentication on Kerberos without having
synchronized clocks is going to cause no end of problems.  Indeed, if you look
at the Kerberos documentation you'll find clock synchronization stated as a
non-negotiable requirement.  Can I ask why it's not feasible for you to run
some sort of time synchronization tool on this machine?

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []