[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_chauthok and froozen chain problems

On Mon, Feb 02, Thorsten Kukuk wrote:

> Hi,
> since Linux-PAM 0.75/0.76 we use a froozen chain for
> pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
> With pam_setcred and pam_session I have no problems, there it is
> correct. 
> But I got now bug reports because of pam_chauthtok, and I see a
> real problem there:
> Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
> if you try to update an password. As result, "requisite" will be
> handled as "required" and the control flow will not return to the
> application in a failure, but the following module on the stack
> will called.
> But reverting that change for pam_chauthok means breaking
> "sufficient".
> I see now several solutions:
> 1. Ignore the problem and document that "requisite" will not
>    work as expected in most cases for password changes.
> 2. Revert that change and document, that PAM_PRELIM_CHECK
>    after "sufficient" modules will not run, but that the
>    module still could be called for PAM_CHAUTHTOK.
> 3. Always run all modules with "PAM_PRELIM_CHECK" and 
>    ignore "sufficient" and "requisite".

4. What other PAM implementations are doing:
   - No froozen chain for pam_chauthtok
   - Treat "sufficient" as "optional" in case
     PAM_PRELIM_CHECK is set.
> Any ideas/opinions/other choices?
> Currently I tend to option 3).

My new favorite is option 4).


Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]