New and improved pam_exec module
Daniel Richard G.
skunk at iSKUNK.ORG
Tue Aug 1 16:52:43 UTC 2006
On Tue, 2006 Aug 01 11:29:19 +0200, Thorsten Kukuk wrote:
>
> pam_syslog exists on OpenPAM and Linux-PAM as far as I know.
OpenPAM has openpam_log(), so #ifdefs would be needed in any event. But
this isn't a problem. (Not as much as pam_syslog() wanting a pam_handle_t,
anyway...)
> But if you wish to get your module upstream, you have to use the specific
> functions of that project and follow their coding style.
> If you don't wish to do this, you should not submit it upstream but
> maintain it as seperate module.
I do intend to submit the module to the existing projects---though at the
same time, I'd like to avoid large changes between them, so that
cross-pollination remains straightforward.
> > > > expose_account
> > > > try_first_pass
> > > > use_first_pass
> > > > use_mapped_pass
> > >
> > > We don't need them at all.
> >
> > Okay. Should the module accept-but-ignore them?
>
> I would ignore them complete.
Sounds good. It appears that use_first_pass is the only option of interest
anymore, and since the module doesn't have password-prompting code anyway,
it shouldn't make a difference either way.
> > (I see the "4. Generic optional arguments" section in the manual states
> > "Here we list the generic arguments that all modules can expect to be
> > passed," which implies that this ought to be the case.)
>
> The chapter was changed for the new documentation (could be found in
> CVS and I uploaded them now to www.kernel.org).
Excellent! Yes, I was referring to the online copy at kernel.org.
> > Erm... the "2.2 Other functions provided by libpam" section states "The
> > pam_fail_delay() function provides the mechanism by which an application or
> > module can suggest a minimum delay (of micro_sec micro-seconds). Linux-PAM
> > keeps a record of the longest time requested with this function."
> >
> > Am I missing something, or is the manual out of date?
>
> "can suggest". This does not mean you have to use it. You should only
> use if it it makes sense. For exmaple if you write an module, which
> sets the delay to a special value for special purpose. A standard module
> does not need this function.
Okay. I will remove the fail_delay bits from the module and the
documentation.
> Only because a function exist it does not mean you need to use it. You
> refuse to use the other non standard PAM functions, too, so why not
> this one?
Whoa, stop right there---I didn't say that I _refuse_ to use any
Linux-PAM-specific functions. I only said that, up until now, I had
refrained (i.e. held back) from doing so.
I used pam_fail_delay() because the docs discussed how to #ifdef its use
cleanly, and it looked like a potentially helpful feature. A case of,
"well, why not throw this in?" :)
--Daniel
--
NAME = Daniel Richard G. ## Remember, skunks _\|/_ meef?
EMAIL1 = skunk at iskunk.org ## don't smell bad--- (/o|o\) /
EMAIL2 = skunk at alum.mit.edu ## it's the people who < (^),>
WWW = http://www.******.org/ ## annoy them that do! / \
--
(****** = site not yet online)
More information about the Pam-list
mailing list