[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_setcred & pam_open_session



Hello!

I have found some problem in the specification (or is it just my poorly
equipped brain's problem?). Sorry if I missed a relevant discussion on the
list.

pam_setcred() might be called either before or after session
initialization. The docs
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html)
say:

"It is usually called after the user has been authenticated,
after the account management function has been called but before a
session has been opened for the user."

That is, no *enforced* order.
In other random pam-docs on the net I read even that "pam_setcred() is
usually called after a session has been opened"...

But then, there are things we may want to do by session pam-modules,
that need credentials - to be established by other modules, like pam_kcoda
that needs kerberos credentials. If I stack the modules like

auth    pam_krb5.so
session pam_kcoda.so

It may work and may not work depending on when an application calls
pam_setcred(). And when the application does it the other way around,
I have no possibility to make it to work with kerberos and coda,
without combining both modules into one (or providing them with
peer-to-peer knowledge inside pam framework) - thus creating unnecessary
complications in development and support, totally against the idea of
modularization.

The problem might go away if we demand that
"pam_setcred() has to be called after successful authentication and before
pam_open_session()"

It should not sacrifice compatibility with other pam implementations as
long as nobody else demands exactly otherwise.

Regards,
--
Ivan





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []