From 4e53d8d8c64e89a05c24e4a208675f28680f7aa7 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 17 Feb 2009 16:34:47 +0000 Subject: Relevant BUGIDs: bugzilla.novell.com#470337 Purpose of commit: bugfix Commit summary: --------------- 2009-02-17 Thorsten Kukuk * doc/man/pam_sm_chauthtok.3.xml: Document that sufficient can break the PRELIM_CHECK chain. * libpam/pam_dispatch.c: Don't freeze chain for chauthtok [bugzilla.novell.com#470337] --- doc/man/pam_sm_chauthtok.3.xml | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) (limited to 'doc') diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml index c36a0baf..40ab191e 100644 --- a/doc/man/pam_sm_chauthtok.3.xml +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -40,7 +40,7 @@ interface. - This function is used to (re-)set the authentication token of the user. + This function is used to (re-)set the authentication token of the user. Valid flags, which may be logically OR'd with @@ -60,10 +60,10 @@ This argument indicates to the module that the users - authentication token (password) should only be changed if - it has expired. This flag is optional and - must be combined with one of the - following two flags. Note, however, the following two options + authentication token (password) should only be changed if + it has expired. This flag is optional and + must be combined with one of the + following two flags. Note, however, the following two options are mutually exclusive. @@ -72,15 +72,20 @@ PAM_PRELIM_CHECK - This indicates that the modules are being probed as to - their ready status for altering the user's authentication - token. If the module requires access to another system over - some network it should attempt to verify it can connect to - this system on receiving this flag. If a module cannot establish - it is ready to update the user's authentication token it should + This indicates that the modules are being probed as to + their ready status for altering the user's authentication + token. If the module requires access to another system over + some network it should attempt to verify it can connect to + this system on receiving this flag. If a module cannot establish + it is ready to update the user's authentication token it should return PAM_TRY_AGAIN, this information will be passed back to the application. + + If the control value sufficient is used in + the password stack, the PAM_PRELIM_CHECK section + of the modules following that control value is not always executed. + @@ -89,18 +94,18 @@ This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with - PAM_CHANGE_EXPIRED_AUTHTOK, the + PAM_CHANGE_EXPIRED_AUTHTOK, the token is only changed if it has actually expired. - The PAM library calls this function twice in succession. The first - time with PAM_PRELIM_CHECK and then, - if the module does not return + The PAM library calls this function twice in succession. The first + time with PAM_PRELIM_CHECK and then, + if the module does not return PAM_TRY_AGAIN, subsequently with - PAM_UPDATE_AUTHTOK. It is only on + PAM_UPDATE_AUTHTOK. It is only on the second call that the authorization token is (possibly) changed. -- cgit v1.2.3