Joerg Barfurth wrote:
> Hi,
>
> Darren J Moffat schrieb:
> [...]
>> Implementation Notes
>> --------------------
>> The module only supports the auth stack.
>>
>
> This isn't consistent with the 'upstream documentation' section:
My mistake.
>> --- Upstream Documentation ---
>>
> [...]
>> ...
>> auth sufficient /lib/security/pam_radius_auth.so [options]
>> ...
>> account sufficient /lib/security/pam_radius_auth.so
No further code inspection pam_sm_acct_mgmt() does nothing so I don't
know why the documentation suggests that.
Actually it is worse it return PAM_SUCCESS, I'll fix it to return
PAM_IGNORE.
> So what is it?
>
> BTW, on the upstream site I note somewhat contradicting (wrt the section
> quoted by you) documentation, which mentions even more supported stacks:
>
> - There are several places that state that pam_radius_auth does support
> password changing and how to configure it. Is this available in your
> version?
pam_sm_chauthtok() is implemented despite some parts of the
"documentation" in the source tar file contradicting this.
> - There is one place that mentions that pam_radius_auth contains
> (Linux-only) session module support for RADIUS accounting. Is this
> available (and can it be ported to Solaris)?
The source I have (version 1.3.17) does have pam_sm_open_session() and
pam_sm_close_session() are implemented but I don't see any thing Linux
specific in there and the compiled module has those entry points.
Given the above I'm updating the spec for this case as follows (a full
new spec will be sent out):
* rename module to pam_radius - since it does more than auth
* Document that the auth, session, password stacks are all
supported.
* Change the source to return PAM_IGNORE for pam_sm_setcred
and pam_sm_acct_mgmt since they do nothing - this will be #ifdef
for Solaris and offered back upstream.
Thank you very much for your input.
--
Darren J Moffat
