Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Jul 2017 17:23:07 +0800
From:      Ben Woods <>
To:        =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <>,  "" <>
Subject:   PAM conditional authentication (advanced control syntax)
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi des,

First of all, thank you for creating and maintaining OpenPAM!

I have been digging into PAM and kerberos over the last few days, and have
realised I want to have a different control flow krb5 authentication fails
due to an inability to contact the KDC (e.g. network or KDC outage), or if
it fails due to the KDC positively confirming the username/password
combination is incorrect/invalid.

In Linux PAM this is possible using the advanced control syntax, however
this doesn't appear to exist in OpenPAM. Is there any plans to implement
it, or something similar?

The rest of this email is only to provide context of why I want this

The ideal PAM flow in my example use case (using a new local cache PAM
module such as

1. Try kerberos authentication.
    - If krb5 fails with incorrect username/password, then break the chain
and return a failure.
    - If krb5 fails with KDC unreachable, then skip the next 1 module in
the chain (jump to using the cache) with the result a failure unless a
later module succeeds.
    - If krb5 succeeds, then keep going in the chain with the result a
success unless a later module fails

2. Update the local cache with the username/password successfully used in
step 1, and then break the chain returning success.

3. Try authentication against the local cache, and pass or fail based on
the result (ending the chain).

With Linux's advanced control syntax, I believe this would look something
like the following:

auth [service_err=1 success=ok new_authtok_reqd=ok default=die]
auth [default=done] action=update use_first_pass
auth [success=ok new_authtok_reqd=ok default=bad]
action=check use_first_pass

Thanks in advance,

From: Benjamin Woods

Want to link to this message? Use this URL: <>