On Mon, Apr 21, 2008 at 02:06:52PM -0700, Darren J Moffat wrote: > Implementation Notes > -------------------- > The module only supports the auth stack. pam_sm_setcred(3PAM) returns > the same value as pam_sm_authenticate(3PAM) returned or PAM_SUCCESS > if pam_sm_setcred(3PAM) was called without pam_sm_authenticate(3PAM). > This isn't ideal as pam_sm_setcred(3PAM) should probably always return > PAM_IGNORE - comments in the code indicate that the upstream project > team is aware of this but wants "best compatibility" across all > PAM implementations.
I don't buy this "best compatibility" note. LinuxPAM fully supports PAM_IGNORE. It is a bug to return PAM_SUCCESS when the module has done nothing, and it can lead to misconfigurations that are difficult for customers to debug, and even to misconfigurations that result in security holes. Nico --
