summaryrefslogtreecommitdiff
path: root/doc/man
diff options
context:
space:
mode:
authorTomas Mraz <tmraz@fedoraproject.org>2011-09-30 09:43:54 +0200
committerTomas Mraz <tmraz@fedoraproject.org>2011-09-30 09:43:54 +0200
commitc245299faf6baeba3ea7c493a0f3491407856638 (patch)
treebc54c0a5aa77e9d37be45f31adf34673c53cf641 /doc/man
parent3d8a20af1f5f32ad7e4abf26057e8ef2193bc190 (diff)
Improve documentation of the sufficient and requisite control values. (Red Hat Bug #742413)
Diffstat (limited to 'doc/man')
-rw-r--r--doc/man/pam.conf-syntax.xml17
1 files changed, 8 insertions, 9 deletions
diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml
index bea84d91..da7cfb70 100644
--- a/doc/man/pam.conf-syntax.xml
+++ b/doc/man/pam.conf-syntax.xml
@@ -143,7 +143,8 @@
<para>
like <emphasis>required</emphasis>, however, in the case that
such a module returns a failure, control is directly returned
- to the application. The return value is that associated with
+ to the application or to the superior PAM stack.
+ The return value is that associated with
the first required or requisite module to fail. Note, this flag
can be used to protect against the possibility of a user getting
the opportunity to enter a password over an unsafe medium. It is
@@ -158,14 +159,12 @@
<term>sufficient</term>
<listitem>
<para>
- success of such a module is enough to satisfy the
- authentication requirements of the stack of modules (if a
- prior <emphasis>required</emphasis> module has failed the
- success of this one is <emphasis>ignored</emphasis>). A failure
- of this module is not deemed as fatal to satisfying the
- application that this type has succeeded. If the module succeeds
- the PAM framework returns success to the application immediately
- without trying any other modules.
+ if such a module succeeds and no prior <emphasis>required</emphasis>
+ module has failed the PAM framework returns success to
+ the application or to the superior PAM stack immediately without
+ calling any further modules in the stack. A failure of a
+ <emphasis>sufficient</emphasis> module is ignored and processing
+ of the PAM module stack continues unaffected.
</para>
</listitem>
</varlistentry>