[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_sm_authenticate error code



Steve Langasek wrote:
> 
> On Tue, May 21, 2002 at 05:43:29PM +0530, Sridhar Bandi wrote:
> 
> >     what should be the error code that need to be returned by
> >     pam_sm_authenticate() when the user's account is expired.
> >     Should it return PAM_SUCCESS or PAM_ACCT_EXPIRED.
> >     What I think is it shouldn't return PAM_ACCT_EXPIRED as
> >     its pam_acct_mgmt() job to return this error.
> >      Please clear my doubt , thanks in advance for all the help.
> 
> That's correct.  A PAM application is required to call pam_acct_mgmt()
> after a successful return from pam_authenticate(), so in theory it's ok
> to return PAM_SUCCESS from pam_authenticate().

Another way to think about it is that if the user's account has expired,
it is not the case that joe random should be able to find that out by
simply trying to log in - this information is really only appropriate
for the poor individual who just lost access to their account.

(In addition to the pam_acct_mgmt() failure, it would be entirely
appropriate for pam_sm_setcred() to fail too - with something like
PAM_CRED_ERR. But the pam_acct_mgmt() failure should be enough.)

Cheers

Andrew





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []