[OpenAFS-devel] [PATCH]: little bug in pam_afs

Charles Clancy security@xauth.net
Sun, 21 Oct 2001 13:36:21 -0500 (CDT)


On Sat, 20 Oct 2001, Derrick J Brashear wrote:

> On Wed, 17 Oct 2001, Carsten Jacobi wrote:
>
> > I am very sorry, but I incorporated a small error in my last pam_afs patch.
> > The result is not fatal, it just forces the users to have to type in the
> > password
> > twice. Anyways, since it is annoying it should be removed ...
>
> I'll admit I've been out of the PAM fold a while. This just changes the
> default to be the equivalent of setting the use_first_pass option in the
> configuration for the pam module. Is there a reason for not making people
> specify the option other than "that's how it worked before"? (Which isn't
> necessarily to suggest discounting that reason)

use_first_pass only makes sense if it's not the first PAM module called.
From what I've seen, people have been recommending:

auth sufficient pam_afs.so ignore_root
auth required pam_unix.so

In this case, there is no first pass to use.  Making use_first_pass the
default further doesn't make any sense.

I've always put pam_unix before pam_afs and used use_first_pass.  I've
done this in order to prevent the password prompt from begin 'AFS
Password:' (which may give an attacker a lot of information about the
system he or she is attacking).

Would there be a dont_use_first_pass option, then?  It seems like you'd
want to leave use_first_pass and try_first_pass alone, if for no other
reason then to use similar syntax as other modules.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy