Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /fc
On Wed, 4 Jun 2003, Frank Cusack wrote:> Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam. > > It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred().Some modules use calls to pam_setcred to store credentials to disk, based on other authentication credentials obtained earlier in the process. For example, to gain AFS credentials based on Kerberos credentials. If you've obtained Kerberos credentials through a route other than PAM (ie through Kerberos ticket passing), then having this call to pam_setcred not depend on having called pam_authenticate is really useful. Cheers, Simon.
On Wed, 4 Jun 2003, Frank Cusack wrote:> Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam.yes it should. pam_setcred may be doing stuff that it doesn't need the PAM_AUTHTOK for. For example cron(1m) on Solaris calls pam_setcred.> It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred().That is a bug in the specification of PAM there really should have been a separate auth and cred stack. -- Darren J Moffat
On Wed, Jun 04, 2003 at 02:38:27PM -0700, Frank Cusack wrote:> Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam.Pam_setcred() should be called if the user is authenticated and authorized, even if authentication did not use pam_authenticate().> It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred().Just because the setcred stack shares the definition of the auth stack doesn't mean that setcrfed depends on auth. Nico --
Possibly Parallel Threads
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- PAM function ordering
- [Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
- reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
- sshd deletes the GSSAPI ticket on exit