pam_chauthok and froozen chain problems
Thorsten Kukuk
kukuk at suse.de
Mon Feb 2 13:50:28 UTC 2009
On Mon, Feb 02, Thorsten Kukuk wrote:
> Hi,
>
> since Linux-PAM 0.75/0.76 we use a froozen chain for
> pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
>
> With pam_setcred and pam_session I have no problems, there it is
> correct.
> But I got now bug reports because of pam_chauthtok, and I see a
> real problem there:
>
> Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
> if you try to update an password. As result, "requisite" will be
> handled as "required" and the control flow will not return to the
> application in a failure, but the following module on the stack
> will called.
>
> But reverting that change for pam_chauthok means breaking
> "sufficient".
>
>
> I see now several solutions:
>
> 1. Ignore the problem and document that "requisite" will not
> work as expected in most cases for password changes.
>
> 2. Revert that change and document, that PAM_PRELIM_CHECK
> after "sufficient" modules will not run, but that the
> module still could be called for PAM_CHAUTHTOK.
>
> 3. Always run all modules with "PAM_PRELIM_CHECK" and
> ignore "sufficient" and "requisite".
4. What other PAM implementations are doing:
- No froozen chain for pam_chauthtok
- Treat "sufficient" as "optional" in case
PAM_PRELIM_CHECK is set.
> Any ideas/opinions/other choices?
>
> Currently I tend to option 3).
My new favorite is option 4).
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list