Date: 21 Jan 2002 00:56:46 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <xzpvgdw1sqp.fsf@flood.ping.uio.no> In-Reply-To: <20020120233050.GA26913@nagual.pp.ru> References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru> writes: > Yes. And to allow PAM stack to make right decision, pam_opie pass special > information to PAM stack. Look at the patch, pam_opie not breaks from the > stack by yourself, it is /etc/pam* do that using information from > pam_opie. What I can't understand is why OPIE is making that decision in the first place. The only answer I can think of is that it was written before the advent of PAM, and tries to be a poor man's PAM. That is not its place. In any case, if I understand what you're trying to do, it can be done by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE if it failed but Unix authentication is still allowed, and PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed. In that case, if you mark pam_opie "sufficient", pam_unix will run only if OPIE authentication failed but allowed Unix authentication to proceed. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpvgdw1sqp.fsf>