Date: Fri, 15 Aug 2008 14:00:44 -0400 From: Valeriu Mutu <vmutu@pcbi.upenn.edu> To: freebsd-doc@freebsd.org Subject: Improving pam.conf(5) manual page Message-ID: <20080815180044.GF1327@bsdera.pcbi.upenn.edu>
next in thread | raw e-mail | index | archive | help
Hi, After experimenting with PAM lately I found the manual page pam.conf(5) somewhat confusing regarding the definition of the "sufficient" control flag: sufficient = If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. Nevertheless the chain isn't broken when there are modules with a "required" flag. Here is an example: auth sufficient pam_unix.so debug no_warn try_first_pass auth required pam_deny.so debug Hence, pam_deny will be invoked even if pam_unix succeeds. If the above is changed to: auth sufficient pam_unix.so debug no_warn try_first_pass auth sufficient pam_deny.so debug then pam_deny isn't invoked as it has the "sufficient" flag now. I checked the manual page for pam.conf(5) in FreeBSD 8-current and it contains the same definition of "sufficient" as shown above. I checked it here: http://www.freebsd.org/cgi/man.cgi?query=pam.conf&apropos=0&sektion=0&manpath=FreeBSD+8-current&format=html Hence, it would be helpful if the definition be changed to: sufficient = If this module succeeds and the following modules are sufficient, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. Valeriu -- Valeriu Mutu Penn Center for Bioinformatics 215-573-8119
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080815180044.GF1327>