Chain caching is a feature of Linux-PAM, where pam_authenticate() and
pam_open_session() "freeze" the chain so that their companion
primitive (pam_setcred() and pam_close_session() respectively) will
call the exact same modules, skipping those that failed in the
previous call.
There are several reasons not to do this, the most prominent of which
is that it makes it impossible to call pam_setcred() without first
calling pam_authenticate() - which is perfectly valid according to
DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work.
Instead of chain caching, implement something similar to the way
Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if
they were "required", i.e. does not break the chain when they succeed.
PAM modules whose pam_sm_setcred() should not be called unless their
pam_sm_authenticate() succeeded can simply set a state variable using
pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to
check it in pam_sm_setcred().
Sponsored by: DARPA, NAI Labs
problem, it still didn't DTRT for services that did not have a service-
specific policy if /etc/pam.d existed but did not contain an "other"
policy. This fixes the problems some people have experienced with sudo.
And I almost didn't have to use goto.
The current configuration sequence is:
1) Look for /etc/pam.d/foo
2) If PAM_READ_BOTH_CONFS is defined, or step 1) failed, look for
foo in /etc/pam.conf
3) Look for /etc/pam.d/other (to fill in the gaps)
4) If PAM_READ_BOTH_CONFS is defined, or step 3) failed, look for
other in /etc/pam.conf
I believe this is the intended behaviour of the original code. The least
surprising behaviour seems to be when PAM_READ_BOTH_CONFS is not defined -
/etc/pam.d/foo will be preferred over /etc/pam.conf, but the latter will
serve as a backup if the former does not exist.
Sponsored by: DARPA, NAI Labs
RTLD_NOW got incorrectly defined to 1 (which is RTLD_LAZY in FreeBSD).
In addition, the comment about FreeBSD requiring SHLIB_SYM_PREFIX to
be "_" is incorrect.
Submitted by: tobez (except for the bit about the incorrect comment)
> Script started on Sat May 12 22:18:47 2001
> ttyp1:bde@gamplex:/usr/src/libexec/rshd> rsh localhost ls
> rcmd: localhost: Undefined error: 0
Reported by: bde
simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
