Hi Note this package is on Niels' list for removal candidates[1].
[1]: http://lists.debian.org/debian-release/2012/10/msg00817.html On Sun, Aug 05, 2012 at 09:53:09PM +0200, Luca Falavigna wrote: > Documentation states that the following line is enough: > auth sufficient pam_barada.so > > while you have > auth required pam_barada.so > > Does anything change if you switch to auth sufficient? I'm not using this package, but I you are correct on this. control value 'sufficient' means: sufficient success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules. And upstream say the same how to use the module: auth sufficient pam_barada.so This means that when sshd calls out to the PAM stack for authorization, the barada module will be used before the standard password-based authorization module. Here we have listed it as "sufficient," which means that should the authorization succeed it will be considered successful, but if it fails it will continue on with the rest of the PAM stack to try and find a success. This means that at any time you can use a OTP credential or your password. control value 'required' would mean something else: required failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked. So if it does not fail, it goes to the next, required is (pam.conf(5)): required [success=ok new_authtok_reqd=ok ignore=ignore default=bad] which mean ok this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of PAM_SUCCESS, the module´s return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this ´ok´ value will not be used to override that value. whereas sufficient is sufficient [success=done new_authtok_reqd=done default=ignore] meaning done equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application. This is also documented in the /usr/share/doc/libpam-barada/README.Debian. Having this, I'm usure the bug is really 'grave', as the intended use of the pam-module is documented this way. Regards, Salvatore
signature.asc
Description: Digital signature
