Revisited: how to get 'auth' result?

[Dan Yefimov]

On 12.11.2008 5:18, Jesse Zbikowski wrote:
> This issue was raised a couple of times this spring without response.
> I would like to know, if there is more than one path for
> authorization in the PAM stack, which one actually succeeded.  For
> example, say I have a PAM configuration file like this:
>
> auth sufficient pam_first.so
> auth sufficient pam_second.so
> acct sufficient pam_first.so
> acct sufficient pam_second.so
>
> The behavior I want is: whichever module succeeds for authorization,
> use the same module when the application makes an accouting request.
>
> The module pam_tacplus.so is "well-behaved" in this regard, in that
> acct will not succeed unless auth already did.  pam_radius_auth.so
> however, at least in my configuration, it is happy to succeed in the
> acct request after a different module handled the auth request, which
> breaks my scheme.
>
Thus your scheme is vulnerable in that respect. Rework it. Read pam.conf manual 
and look for extended syntax there.

> If it is not possible to get this behavior from PAM out of the box,
> would it make sense to write a custom PAM module to handle this logic?
> That is, my module would internally call pam_authenticate() /
> pam_acct_mgmt() on other PAM services, according to my specifications.
>
Yes, that's possible, but such a module would be hardly dependent on PAM 
internals that can be changed without notice with each PAM release.

> With reference to the original posts on this topic: right now I would
> be if my application could figure out whether it was pam_first.so or
> pam_second.so which succeeded, perhaps via pam_get_item()
>
PAM was developed with application independence on authentication methods and 
their order in mind, so that is generally impossible. If your application is 
dependent on modules used and/or their order, it is broken in that respect.
-- 

Sincerely Your, Dan.