Hi Sam, Yes, I saw the reasons for authpam forking. The problem is, I need more than just a yes/no answer from pam after it authenticates, I also need the environment variables set by my pam modules. mod_krb5 obtains a kerberos ticket and puts its location in the KRB5CCNAME variable. Without that variable, you can't find the ticket.
I'm considering a few of ways to pass env vars back from authentication: 0. my patch does pam_getenvlist() in the parent, but as you say, it could leak memory. I call pam_end() in the parent and pam_endsession() in the child. That works on Linux, but maybe not all versions of pam. 1. put authpam back the way it was, but get the child to send the env strings over the pipe. I tried that once and didn't get it, but it may be worth another shot. Passing env vars is also required to make authdaemon work. What do you think about extending the authdaemon protocol to append env vars to the current YES/NO answer? --Noel ----- Original Message ----- From: "Sam Varshavchik" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 31, 2002 6:07 PM Subject: [courier-users] Re: patch for authlib/authpam > Noel Burton-Krahn writes: > > > 1. authpam didn't pass on the environment stored in pam_getenvlist(). Now > > it does. > > > > 2. authpam used a weird forking mechanism so a child process can end the pam > > session. One process does pam, the other returns authentication success, > > There's a reason for that weird forking mechanism. The big comment that you > removed explains what the reason is. There are some major memory leaks in > PAM. Or at least there were. The code that runs in the parent context is > also used in authdaemon, as a persistent process. If the parent carries out > the PAM calls, the memory leaks will quickly accumulate. That's why the PAM > calls must occur in the child process, and the parent process only receives > the indication if the authentication succeeded. > > That's why your changes will not work anywhere except your particular > environment/configuration. > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > courier-users mailing list > [EMAIL PROTECTED] > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users > > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
