On Mon, Jan 21, 2002 at 00:09:21 +0000, Mark Murray wrote:
> > Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes:
> > > In any case, if I understand what you're trying to do, it can be done
> > > by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE
> > > if it failed but Unix authentication is still allowed, and
> > > PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed.
> > > In that case, if you mark pam_opie "sufficient", pam_unix will run
> > > only if OPIE authentication failed but allowed Unix authentication to
> > > proceed.
> > 
> > Hmm, actually, that won't do.  I need to think this over some more.
> The usual route is YES or NO, with IGNORE reserved for modules which
> have no authentication (like say, pam_motd, which prints /etc/motd
> during the pam_session_open() phase). IGNORE may have other uses,
> but I can't remember them offhand.

"sufficient" will not works due to IGNORE assigned to AUTH_ERR reaction.

[default=ignore success=done auth_err=die] 


Do you agree with this variant?

Andrey A. Chernov

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to