[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_setcred & pam_open_session


I have found some problem in the specification (or is it just my poorly
equipped brain's problem?). Sorry if I missed a relevant discussion on the

pam_setcred() might be called either before or after session
initialization. The docs

"It is usually called after the user has been authenticated,
after the account management function has been called but before a
session has been opened for the user."

That is, no *enforced* order.
In other random pam-docs on the net I read even that "pam_setcred() is
usually called after a session has been opened"...

But then, there are things we may want to do by session pam-modules,
that need credentials - to be established by other modules, like pam_kcoda
that needs kerberos credentials. If I stack the modules like

auth    pam_krb5.so
session pam_kcoda.so

It may work and may not work depending on when an application calls
pam_setcred(). And when the application does it the other way around,
I have no possibility to make it to work with kerberos and coda,
without combining both modules into one (or providing them with
peer-to-peer knowledge inside pam framework) - thus creating unnecessary
complications in development and support, totally against the idea of

The problem might go away if we demand that
"pam_setcred() has to be called after successful authentication and before

It should not sacrifice compatibility with other pam implementations as
long as nobody else demands exactly otherwise.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []