Subject: optional PAM modules?
To: None <>
From: Matthias Drochner <>
List: tech-userlevel
Date: 08/02/2005 21:03:11
This is a multipart MIME message.

Content-Type: text/plain; charset=us-ascii

Experimenting with LDAP and in particular the pam_ldap
module I found it extremely annoying that the openpam
framework locked me out completely if just a single
module listed in the pam.d/x file was missing.
The LDAP stuff is in pkgsrc, and it just happens during
tests and updates that a pkg is not present at some time.

Would it be possible to just ignore lines in the pam
configuration file on system errors if they are optional,
i.e. "sufficient"?
I've used the appended patch to save miself, but given
the complexity of PAM configuration I can't tell whether
this had unexpected security implications.

Could someone more familiar with the matter have a look
at this?

best regards

Content-Type: text/plain ; name="pam.txt"; charset=us-ascii
Content-Description: pam.txt
Content-Disposition: attachment; filename="pam.txt"

Index: openpam_configure.c
RCS file: /cvsroot/src/dist/openpam/lib/openpam_configure.c,v
retrieving revision 1.4
diff -u -r1.4 openpam_configure.c
--- openpam_configure.c	16 Mar 2005 15:28:55 -0000	1.4
+++ openpam_configure.c	2 Aug 2005 17:49:40 -0000
@@ -220,8 +220,14 @@
 			goto syserr;
 		this->module = openpam_load_module(name);
-		if (this->module == NULL)
-			goto fail;
+		if (this->module == NULL) {
+			if (this->flag == PAM_SUFFICIENT) {
+				FREE(this);
+				FREE(line);
+				continue;
+			} else
+				goto fail;
+		}
 		/* module options */
 		p = q = next_word(p);