From owner-cvs-all Sat Jan 19 11:24:38 2002 Delivered-To: cvs-all@freebsd.org Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 13B5037B447; Sat, 19 Jan 2002 11:24:18 -0800 (PST) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.11.6/8.11.6) with UUCP id g0JJOEn28354; Sat, 19 Jan 2002 19:24:14 GMT (envelope-from mark@grondar.za) Received: from grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.org (8.11.6/8.11.6) with ESMTP id g0JJOgt23714; Sat, 19 Jan 2002 19:24:42 GMT (envelope-from mark@grondar.za) Message-Id: <200201191924.g0JJOgt23714@grimreaper.grondar.org> To: "Andrey A. Chernov" Cc: Dag-Erling Smorgrav , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: For all who miss it, PAM changes explanation reposted References: <20020119190636.GE12683@nagual.pp.ru> In-Reply-To: <20020119190636.GE12683@nagual.pp.ru> ; from "Andrey A. Chernov" "Sat, 19 Jan 2002 22:06:36 +0300." Date: Sat, 19 Jan 2002 19:24:42 +0000 From: Mark Murray Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Sat, Jan 19, 2002 at 18:53:59 +0000, Mark Murray wrote: > > > > Ok - read the document. It tells you which are allowable. You can read, > > you are a programmer - you are writing the code. Yo decide which is the > > most appropriate one (from the allowable list) and use that. > > From my point of view, the only appropriate for this case error code from > valid pam_sm_authenticate() error codes list in pam_modules.sgml is: > > > For some reason the application does not have sufficient > credentials to authenticate the user. This means that "stuff" needed to authenticate the user is insufficient. (For example, in a two-password scenario where only one password has been supplied). If you can use that meaning, then fine! (Note that "insufficient" != "wrong"). If there is no return code to achieve the result that you need, you may need to come to terms with PAM not being able to do what you want. > All other codes looks even less appropriate as pam_opie() return. > But if you say that you like another code better, than my choice, I agree > with you. You have a clear idea of what you need to achieve - are you sure that PAM can do this? At this stage, it looks as though PAM (as documented) cannot. This may be a problem in its own right, in which case PAM (core PAM) needs to be fixed. If _that_ is the case, this this needs to be carefully thought out and co-ordinated through DES and myself. M -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message