1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
Don't freeze the chain for chauthtok.
bugzilla.novell.com#470337, LP: #303515.
Author: Thorsten Kukuk <kukuk@thkukuk.de>
Upstream status: cherry-picked from upstream.
=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
--- doc/man/pam_sm_chauthtok.3.xml 2006-06-28 14:22:40 +0000
+++ doc/man/pam_sm_chauthtok.3.xml 2009-02-18 00:34:47 +0000
@@ -40,7 +40,7 @@
</citerefentry> interface.
</para>
<para>
- This function is used to (re-)set the authentication token of the user.
+ This function is used to (re-)set the authentication token of the user.
</para>
<para>
Valid flags, which may be logically OR'd with
@@ -60,10 +60,10 @@
<listitem>
<para>
This argument indicates to the module that the users
- authentication token (password) should only be changed if
- it has expired. This flag is optional and
- <emphasis>must</emphasis> be combined with one of the
- following two flags. Note, however, the following two options
+ authentication token (password) should only be changed if
+ it has expired. This flag is optional and
+ <emphasis>must</emphasis> be combined with one of the
+ following two flags. Note, however, the following two options
are <emphasis>mutually exclusive</emphasis>.
</para>
</listitem>
@@ -72,15 +72,20 @@
<term>PAM_PRELIM_CHECK</term>
<listitem>
<para>
- This indicates that the modules are being probed as to
- their ready status for altering the user's authentication
- token. If the module requires access to another system over
- some network it should attempt to verify it can connect to
- this system on receiving this flag. If a module cannot establish
- it is ready to update the user's authentication token it should
+ This indicates that the modules are being probed as to
+ their ready status for altering the user's authentication
+ token. If the module requires access to another system over
+ some network it should attempt to verify it can connect to
+ this system on receiving this flag. If a module cannot establish
+ it is ready to update the user's authentication token it should
return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
information will be passed back to the application.
</para>
+ <para>
+ If the control value <emphasis>sufficient</emphasis> is used in
+ the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
+ of the modules following that control value is not always executed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -89,18 +94,18 @@
<para>
This informs the module that this is the call it should change
the authorization tokens. If the flag is logically OR'd with
- <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
+ <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
token is only changed if it has actually expired.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
- The PAM library calls this function twice in succession. The first
- time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
- if the module does not return
+ The PAM library calls this function twice in succession. The first
+ time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
+ if the module does not return
<emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
- <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
+ <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
the second call that the authorization token is (possibly) changed.
</para>
</refsect1>
=== modified file 'libpam/pam_dispatch.c'
--- libpam/pam_dispatch.c 2008-12-03 22:16:33 +0000
+++ libpam/pam_dispatch.c 2009-02-18 00:34:47 +0000
@@ -132,11 +132,10 @@
}
/*
- * use_cached_chain is how we ensure that the setcred/close_session
- * and chauthtok(2) modules are called in the same order as they did
- * when they were invoked as auth/open_session/chauthtok(1). This
- * feature was added in 0.75 to make the behavior of pam_setcred
- * sane. It was debugged by release 0.76.
+ * use_cached_chain is how we ensure that the setcred and
+ * close_session modules are called in the same order as they did
+ * when they were invoked as auth/open_session. This feature was
+ * added in 0.75 to make the behavior of pam_setcred sane.
*/
if (use_cached_chain != _PAM_PLEASE_FREEZE) {
@@ -358,9 +357,6 @@
break;
case PAM_CHAUTHTOK:
h = pamh->handlers.conf.chauthtok;
- if (flags & PAM_UPDATE_AUTHTOK) {
- use_cached_chain = _PAM_MUST_BE_FROZEN;
- }
break;
default:
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
|
