Date: Thu, 18 Jan 2001 12:05:01 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-security@freebsd.org Subject: PAM broken design? pam_setcred Message-ID: <20010118120501.B64632@hamlet.nectar.com>
next in thread | raw e-mail | index | archive | help
Is it just me, or is pam_setcred broken? For example, with the following config file: login auth sufficient pam_skey.so login auth sufficient pam_krb5.so login auth required pam_unix.so Regardless of whether you authenticate with `skey', `krb5', or `unix', pam_sm_setcred is called in pam_skey.so, i.e. the module search starts over. By my reading of the Solaris man page, pam_sm_setcred should be called in the module that successfully authenticated the user. At any rate this seems infinitely more useful. Excerpt from Solaris 2.6 pam(3): If the user has been successfully authenticated, the application calls pam_setcred() to set any user credentials associated with the authentication service. [...] For example, during the call to pam_authenticate(), service modules may store data in the handle that is intended for use by pam_setcred(). Just looking for a sanity check... Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010118120501.B64632>