From c245299faf6baeba3ea7c493a0f3491407856638 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 30 Sep 2011 09:43:54 +0200 Subject: Improve documentation of the sufficient and requisite control values. (Red Hat Bug #742413) --- doc/man/pam.conf-syntax.xml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'doc/man') diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index bea84d91..da7cfb70 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -143,7 +143,8 @@ like required, however, in the case that such a module returns a failure, control is directly returned - to the application. The return value is that associated with + to the application or to the superior PAM stack. + The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is @@ -158,14 +159,12 @@ sufficient - success of such a module is enough to satisfy the - authentication requirements of the stack of modules (if a - prior required module has failed the - success of this one is ignored). A failure - of this module is not deemed as fatal to satisfying the - application that this type has succeeded. If the module succeeds - the PAM framework returns success to the application immediately - without trying any other modules. + if such a module succeeds and no prior required + module has failed the PAM framework returns success to + the application or to the superior PAM stack immediately without + calling any further modules in the stack. A failure of a + sufficient module is ignored and processing + of the PAM module stack continues unaffected. -- cgit v1.2.3