> > Feature, not bug. PAM has been told to use "unix" authentication.
> The bug turns out to be that PAM shouldn't have been told this.  The
> non-PAM case uses the following check to avoid checking for passwords
> on passwordless accounts:
> ---
>               /* if target requires a password, verify it */
>               if (*pwd->pw_passwd) {
> ---
> but the PAM case always calls pam_authenticate() (for non-root).

Right. To avoid a pam/other "turf" fight. I'll do the above until we
can fix the pams to allow a 'if no password, let him in' mode for
the pam_unix module.

> The first form is equivalent to making all accounts passwordless.  I don't
> see how changing the third word could affect this.

Er, yes :-) 

The pam modules need a mode for this. I'll do that.

> login(1) uses the same configuration as su(1) in pam.conf but handles
> passwordless accounts correctly.  In login.c, most of the complications
> for PAM authorization are in the auth_pam() function, and "goto
> ttycheck;" skips over all types of authorization when there is no
> password.  The corresponding code in su.c is a tangle of ifdefs and
> large inline code for PAM authorization.

I need to take out some of that #ifdef hell. For one, KERBEROS is no
longer needed. (fixed locally). WHEELSU needs to be properly documented.

Mark Murray
Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to