diff options
| author | Tomas Mraz <tmraz@fedoraproject.org> | 2011-09-30 09:43:54 +0200 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2011-09-30 09:43:54 +0200 |
| commit | c245299faf6baeba3ea7c493a0f3491407856638 (patch) | |
| tree | bc54c0a5aa77e9d37be45f31adf34673c53cf641 /doc/man | |
| parent | 3d8a20af1f5f32ad7e4abf26057e8ef2193bc190 (diff) | |
| download | pam-c245299faf6baeba3ea7c493a0f3491407856638.tar.gz pam-c245299faf6baeba3ea7c493a0f3491407856638.tar.bz2 pam-c245299faf6baeba3ea7c493a0f3491407856638.zip | |
Improve documentation of the sufficient and requisite control values. (Red Hat Bug #742413)
Diffstat (limited to 'doc/man')
| -rw-r--r-- | doc/man/pam.conf-syntax.xml | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index bea84d91..da7cfb70 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -143,7 +143,8 @@ <para> like <emphasis>required</emphasis>, however, in the case that such a module returns a failure, control is directly returned - to the application. The return value is that associated with + to the application or to the superior PAM stack. + The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is @@ -158,14 +159,12 @@ <term>sufficient</term> <listitem> <para> - success of such a module is enough to satisfy the - authentication requirements of the stack of modules (if a - prior <emphasis>required</emphasis> module has failed the - success of this one is <emphasis>ignored</emphasis>). A failure - of this module is not deemed as fatal to satisfying the - application that this type has succeeded. If the module succeeds - the PAM framework returns success to the application immediately - without trying any other modules. + if such a module succeeds and no prior <emphasis>required</emphasis> + module has failed the PAM framework returns success to + the application or to the superior PAM stack immediately without + calling any further modules in the stack. A failure of a + <emphasis>sufficient</emphasis> module is ignored and processing + of the PAM module stack continues unaffected. </para> </listitem> </varlistentry> |