Date: Mon, 21 Jan 2002 03:18:22 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Mark Murray <mark@grondar.za> Cc: Dag-Erling Smorgrav <des@ofug.org>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <20020121001822.GA27831@nagual.pp.ru> In-Reply-To: <200201210009.g0L09Lt34943@grimreaper.grondar.org> References: <xzpr8ok1sl6.fsf@flood.ping.uio.no> <200201210009.g0L09Lt34943@grimreaper.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 21, 2002 at 00:09:21 +0000, Mark Murray wrote: > > Dag-Erling Smorgrav <des@ofug.org> writes: > > > In any case, if I understand what you're trying to do, it can be done > > > by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE > > > if it failed but Unix authentication is still allowed, and > > > PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed. > > > In that case, if you mark pam_opie "sufficient", pam_unix will run > > > only if OPIE authentication failed but allowed Unix authentication to > > > proceed. > > > > Hmm, actually, that won't do. I need to think this over some more. > > The usual route is YES or NO, with IGNORE reserved for modules which > have no authentication (like say, pam_motd, which prints /etc/motd > during the pam_session_open() phase). IGNORE may have other uses, > but I can't remember them offhand. "sufficient" will not works due to IGNORE assigned to AUTH_ERR reaction. [default=ignore success=done auth_err=die] works. Do you agree with this variant? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020121001822.GA27831>