Subject: Re: weird PAM chauthtok behaviour
To: Edgar =?ISO-8859-1?Q?Fu=DF?= <email@example.com>
From: dieter roelants <dieter.NetBSD@pandora.be>
Date: 08/29/2007 20:42:42
On Sat, 25 Aug 2007 19:51:38 +0200
Edgar Fu=DF <firstname.lastname@example.org> wrote:
> I just spent most of the day trying to find out why a PAM =20
> configuration a la (I'm omitting .so, /usr/pkg/lib/security and all =20
> the options here)
> password sufficient pam_ldap
> password required pam_unix
> The problem arises from a strange behaviour of OpenPAM's chauthtok =20
> handling. The whole module chain is run twice, once with =20
> PAM_PRELIM_CHECK and a second time without. But on that first pass, =20
> OpenPAM explicitly treats a control flag of sufficient as optional =20
> Two questions on this:
> 1. Can someone think on a more elegant way of handling that?
Does your config have the use_first_pass (or try_first_pass) option?
> 2. Can someone explain to me why OpenPAM handles sufficient as =20
> optional on the first pass in the first place?
I may be wrong here (I haven't looked at the code), but isn't it just a
pass to check whether all modules used in the config are present and