Dan Nicholson wrote:
> On 7/5/06, Randy McMurchy <[EMAIL PROTECTED]> wrote:
>>
>> Please so I can understand what is going on here, tell me what I
>> need to do *other than using PAM and LOGIN_RETRIES in login.defs*
>> at the same time. Don't ask me to do both (which is what the
>> original post said to do), because that is *not supported*.
>
> I'm sorry to have rubbed you the wrong way. It seems as though the
> shadow package does support both methods, however. There are things I
> have in /etc/pam.d/login and in /etc/login.defs, and they're both
> respected. I respect the fact that you think the best way is to use
> PAM for all configuration if you're using PAM. Looking at lib/getdef.c
> in shadow, only some of the #define's are turned off with PAM.
> LOGIN_RETRIES is not one of those. If the shadow package is doing
> something inappropriate there, then that's unfortunate. Further,
> looking at src/login.c, it seems that retries will go to the default
> of 3 if LOGIN_RETRIES is not found in login.defs. In that case, it
> seems that enforcing the max retries in PAM will only work if the
> number is less than 3. I could very easily be wrong about this. Again,
> I'm not trying to say that you're wrong, only that this is the way the
> program seems to work.
>
> We can certainly move on. I would still encourage Vladimir to submit
> the patch upstream. For the way the package is written, this seems to
> be bug.
>
> --
> Dan
It is a bug. But LOGIN_RETRIES/RETRIES should not be honored at all in
this case. I understand a sane default, but it's a function of PAM now.
The patch needs a little more IMO. Looks like RETRIES define should be
wrapped with '#ifndef USE_PAM', the same for retries...else, 0, and then
the failcount check should be made conditional where *only if* 'retries'
has a value greater than 0 { (...|| retcode != PAM_SUCCESS && failcount
>= retries && retries > 0). Of course, this assuming I read the code
correctly in my quick glance.
-- DJ Lucas
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
