Date: Thu, 24 Jan 2002 07:30:04 -0800 (PST) From: Dag-Erling Smorgrav <des@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/contrib/libpam/libpam pam_dispatch.c Message-ID: <200201241530.g0OFU4765408@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
des 2002/01/24 07:30:04 PST
Modified files:
contrib/libpam/libpam pam_dispatch.c
Log:
This commit disables chain caching.
Chain caching is a feature of Linux-PAM, where pam_authenticate() and
pam_open_session() "freeze" the chain so that their companion
primitive (pam_setcred() and pam_close_session() respectively) will
call the exact same modules, skipping those that failed in the
previous call.
There are several reasons not to do this, the most prominent of which
is that it makes it impossible to call pam_setcred() without first
calling pam_authenticate() - which is perfectly valid according to
DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work.
Instead of chain caching, implement something similar to the way
Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if
they were "required", i.e. does not break the chain when they succeed.
PAM modules whose pam_sm_setcred() should not be called unless their
pam_sm_authenticate() succeeded can simply set a state variable using
pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to
check it in pam_sm_setcred().
Sponsored by: DARPA, NAI Labs
Revision Changes Path
1.2 +36 -22 src/contrib/libpam/libpam/pam_dispatch.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201241530.g0OFU4765408>