> > Feature, not bug. PAM has been told to use "unix" authentication.
>
> The bug turns out to be that PAM shouldn't have been told this. The
> non-PAM case uses the following check to avoid checking for passwords
> on passwordless accounts:
> ---
> /* if target requires a password, verify it */
> if (*pwd->pw_passwd) {
> ---
> but the PAM case always calls pam_authenticate() (for non-root).
Right. To avoid a pam/other "turf" fight. I'll do the above until we
can fix the pams to allow a 'if no password, let him in' mode for
the pam_unix module.
> The first form is equivalent to making all accounts passwordless. I don't
> see how changing the third word could affect this.
Er, yes :-)
The pam modules need a mode for this. I'll do that.
> login(1) uses the same configuration as su(1) in pam.conf but handles
> passwordless accounts correctly. In login.c, most of the complications
> for PAM authorization are in the auth_pam() function, and "goto
> ttycheck;" skips over all types of authorization when there is no
> password. The corresponding code in su.c is a tangle of ifdefs and
> large inline code for PAM authorization.
I need to take out some of that #ifdef hell. For one, KERBEROS is no
longer needed. (fixed locally). WHEELSU needs to be properly documented.
M
--
Mark Murray
Warning: this .sig is umop ap!sdn
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
