Subject: Re: weird PAM chauthtok behaviour
To: Edgar =?ISO-8859-1?Q?Fu=DF?= <>
From: dieter roelants <>
List: tech-userlevel
Date: 08/29/2007 20:42:42

On Sat, 25 Aug 2007 19:51:38 +0200
Edgar Fu=DF <> wrote:

> I just spent most of the day trying to find out why a PAM =20
> configuration a la (I'm omitting .so, /usr/pkg/lib/security and all =20
> the options here)
> password sufficient pam_ldap
> password required   pam_unix

> The problem arises from a strange behaviour of OpenPAM's chauthtok =20
> handling. The whole module chain is run twice, once with =20
> PAM_PRELIM_CHECK and a second time without. But on that first pass, =20
> OpenPAM explicitly treats a control flag of sufficient as optional =20

> Two questions on this:
> 1. Can someone think on a more elegant way of handling that?

Does your config have the use_first_pass (or try_first_pass) option?

> 2. Can someone explain to me why OpenPAM handles sufficient as =20
> optional on the first pass in the first place?

I may be wrong here (I haven't looked at the code), but isn't it just a
pass to check whether all modules used in the config are present and
are loadable?

Kind regards,