pam_chauthok and froozen chain problems
Tomas Mraz
tmraz at redhat.com
Mon Feb 2 14:35:57 UTC 2009
On Mon, 2009-02-02 at 14:50 +0100, Thorsten Kukuk wrote:
> On Mon, Feb 02, Thorsten Kukuk wrote:
>
> > Hi,
> >
> > since Linux-PAM 0.75/0.76 we use a froozen chain for
> > pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
> >
> > With pam_setcred and pam_session I have no problems, there it is
> > correct.
> > But I got now bug reports because of pam_chauthtok, and I see a
> > real problem there:
> >
> > Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
> > if you try to update an password. As result, "requisite" will be
> > handled as "required" and the control flow will not return to the
> > application in a failure, but the following module on the stack
> > will called.
> >
> > But reverting that change for pam_chauthok means breaking
> > "sufficient".
> >
> >
> > I see now several solutions:
> >
> > 1. Ignore the problem and document that "requisite" will not
> > work as expected in most cases for password changes.
> >
> > 2. Revert that change and document, that PAM_PRELIM_CHECK
> > after "sufficient" modules will not run, but that the
> > module still could be called for PAM_CHAUTHTOK.
> >
> > 3. Always run all modules with "PAM_PRELIM_CHECK" and
> > ignore "sufficient" and "requisite".
>
> 4. What other PAM implementations are doing:
> - No froozen chain for pam_chauthtok
> - Treat "sufficient" as "optional" in case
> PAM_PRELIM_CHECK is set.
>
> > Any ideas/opinions/other choices?
> >
> > Currently I tend to option 3).
>
> My new favorite is option 4).
That seems to me as the best option as well but I'd like to see opinions
from other PAM developers.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list