On Sat, 20 Oct 2001, Derrick J Brashear wrote: > On Wed, 17 Oct 2001, Carsten Jacobi wrote: > > > I am very sorry, but I incorporated a small error in my last pam_afs patch. > > The result is not fatal, it just forces the users to have to type in the > > password > > twice. Anyways, since it is annoying it should be removed ... > > I'll admit I've been out of the PAM fold a while. This just changes the > default to be the equivalent of setting the use_first_pass option in the > configuration for the pam module. Is there a reason for not making people > specify the option other than "that's how it worked before"? (Which isn't > necessarily to suggest discounting that reason)
use_first_pass only makes sense if it's not the first PAM module called. >From what I've seen, people have been recommending: auth sufficient pam_afs.so ignore_root auth required pam_unix.so In this case, there is no first pass to use. Making use_first_pass the default further doesn't make any sense. I've always put pam_unix before pam_afs and used use_first_pass. I've done this in order to prevent the password prompt from begin 'AFS Password:' (which may give an attacker a lot of information about the system he or she is attacking). Would there be a dont_use_first_pass option, then? It seems like you'd want to leave use_first_pass and try_first_pass alone, if for no other reason then to use similar syntax as other modules. -- t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
