From owner-cvs-all  Thu Jan 24  7:30:24 2002
Delivered-To: cvs-all@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id CDD1137B404; Thu, 24 Jan 2002 07:30:04 -0800 (PST)
Received: (from des@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0OFU4765408;
	Thu, 24 Jan 2002 07:30:04 -0800 (PST)
	(envelope-from des)
Message-Id: <200201241530.g0OFU4765408@freefall.freebsd.org>
From: Dag-Erling Smorgrav <des@FreeBSD.org>
Date: Thu, 24 Jan 2002 07:30:04 -0800 (PST)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/contrib/libpam/libpam pam_dispatch.c
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

des         2002/01/24 07:30:04 PST

  Modified files:
    contrib/libpam/libpam pam_dispatch.c 
  Log:
  This commit disables chain caching.
  
  Chain caching is a feature of Linux-PAM, where pam_authenticate() and
  pam_open_session() "freeze" the chain so that their companion
  primitive (pam_setcred() and pam_close_session() respectively) will
  call the exact same modules, skipping those that failed in the
  previous call.
  
  There are several reasons not to do this, the most prominent of which
  is that it makes it impossible to call pam_setcred() without first
  calling pam_authenticate() - which is perfectly valid according to
  DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work.
  
  Instead of chain caching, implement something similar to the way
  Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if
  they were "required", i.e. does not break the chain when they succeed.
  
  PAM modules whose pam_sm_setcred() should not be called unless their
  pam_sm_authenticate() succeeded can simply set a state variable using
  pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to
  check it in pam_sm_setcred().
  
  Sponsored by:   DARPA, NAI Labs
  
  Revision  Changes    Path
  1.2       +36 -22    src/contrib/libpam/libpam/pam_dispatch.c

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message