8926dc8e12
Chain caching is a feature of Linux-PAM, where pam_authenticate() and pam_open_session() "freeze" the chain so that their companion primitive (pam_setcred() and pam_close_session() respectively) will call the exact same modules, skipping those that failed in the previous call. There are several reasons not to do this, the most prominent of which is that it makes it impossible to call pam_setcred() without first calling pam_authenticate() - which is perfectly valid according to DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work. Instead of chain caching, implement something similar to the way Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if they were "required", i.e. does not break the chain when they succeed. PAM modules whose pam_sm_setcred() should not be called unless their pam_sm_authenticate() succeeded can simply set a state variable using pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to check it in pam_sm_setcred(). Sponsored by: DARPA, NAI Labs
# # $Id: README,v 1.3 2000/11/20 00:01:49 agmorgan Exp $ # Hello! Thanks for downloading Linux-PAM. NOTES: How to use it is as follows: ./configure --help | less ./configure <your-options> make Note, if you are worried - don't even think about doing the next line (most Linux distributions already support PAM out of the box, so if something goes wrong with installing the code from this version your box may stop working..) make install That said, please report problems to me. Andrew Morgan <morgan@kernel.org> <agmorgan@users.sourceforge.net>