[OpenAFS-devel] [PATCH]: little bug in pam_afs
Carsten Jacobi
carsten@ccac.rwth-aachen.de
Mon, 29 Oct 2001 16:13:16 +0100
On Sun, Oct 21, 2001 at 01:36:21PM -0500, Charles Clancy wrote:
> On Sat, 20 Oct 2001, Derrick J Brashear wrote:
>
> use_first_pass only makes sense if it's not the first PAM module called.
Ahh, maybe I should make some explanations to the patch. Actually it
does not make the module default to "use_first_pass", because the
patch applies to "afs_setcred.c" but not to "afs_auth.c". Thus, the option
"use_first_pass" is still off by default. But when somebody entered a
password for authentication, the same password should also be used to
fetch the token. That's why afs_setcred.c should have "use_first_pass"
set, so that it directly uses the password given at the time when
"pam_sm_authenticate()" has been called without prompting once more for the
password.
> >From what I've seen, people have been recommending:
>
> auth sufficient pam_afs.so ignore_root
> auth required pam_unix.so
>
> In this case, there is no first pass to use. Making use_first_pass the
> default further doesn't make any sense.
> [...]
> Would there be a dont_use_first_pass option, then? It seems like you'd
> want to leave use_first_pass and try_first_pass alone, if for no other
> reason then to use similar syntax as other modules.
If I also changed "afs_auth.c" you would be right with the strange behaviour
of the patched source. But this way (patching afs_setcred.c only) it should
work fine ...
Carsten Jacobi