[Fwd: Re: Possible bug in PAM pam-0.99.8.1 regarding password changing]
decoder
decoder at own-hero.net
Sun Oct 14 21:35:35 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russ Allbery wrote:
> decoder <decoder at own-hero.net> writes:
>
>> Basically he says that you should change your module to do the
>> policy check in the first phase (the preliminary check phase)
>
> This is not possible to do in Kerberos. There's no separate API
> call to verify a password without changing it.
>
> Long-standing behavior or not, I still think this is a bug in PAM.
> If I specify that one password change module should not be called
> if another fails, the *reasons* for the failure are not of interest
> to me. Even if it's a network failure at the last step, it should
> still fail the rest of the stack. I don't know why that wouldn't
> be possible.
I definetly agree with you there, any other behavior is just illogical
and not useful either.
I hope the PAM people agree on this and change the behavior.
Best regards,
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHEoumJQIKXnJyDxURAr1JAJ9PxLs1ZOjVfEF+tmVfX9sezLkeagCfXXf6
Hinsicc9vdr5L17kCFAB9aM=
=gvOr
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list