On Wed, Oct 22, 2014 at 10:58:07AM -0400, Nathaniel McCallum wrote: > On Tue, 2014-10-21 at 20:34 +0200, Lukas Slebodnik wrote: > > On (21/10/14 20:06), Jakub Hrozek wrote: > > >On Tue, Oct 21, 2014 at 01:29:53PM -0400, Nathaniel McCallum wrote: > > >> On Tue, 2014-10-21 at 00:44 +0200, Lukas Slebodnik wrote: > > >> > ehlo, > > >> > > > >> > We remove the password from the PAM stack when OTP is used to make sure > > >> > that other pam modules (pam-gnome-keyring, pam_mount) cannot use it > > >> > anymore > > >> > and have to request a password on their own. > > >> > > > >> > Resolves: https://fedorahosted.org/sssd/ticket/2287 > > >> > > > >> > Simple patch is attached. > > >> > > >> I may be wrong, but I think that making the pam_add_response() and > > >> pam_set_item() errors non-fatal is incorrect. Attempting to use the OTP > > >> credentials again could result in further errors, keyring problems or > > >> account locking. It seems to me that it would better to fail the > > >> authentication if you cannot guarantee that OTP credentials will not be > > >> reused. > > > > > >On the other hand, logging in as the user in question (and then letting > > >him to sudo) might be the only way of getting access into the system at > > >all.. > > Should I change it or no? > > > > It would be very simple change :-) > > I'm not sure I understand Jakub's objection. Could someone clarify?
I was just suggesting to attempt to proceed with login if possible... > > As I understand it, a failure in these functions is largely restricted > to thinks like OOM. In such a case, I wonder if login will be possible > at all. ..but after some more thinking I agree with you. If those two functions fail, we are looking at a genuine bug, so it's better to abort. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
