pam_setcred() without pam_authenticate()?

Darren J Moffat Darren.Moffat at Sun.COM
Thu Jun 5 10:22:49 EST 2003

On Wed, 4 Jun 2003, Frank Cusack wrote:

> Should pam_setcred() be called if pam_authenticate() wasn't called?
> I would say not; both of these functions are in the authenticate
> part of pam.

yes it should. pam_setcred may be doing stuff that it doesn't need the
PAM_AUTHTOK for.   For example cron(1m) on Solaris calls pam_setcred.

> It seems the the 'auth' part of pam config controls which modules get
> called, so if you didn't to _authenticate() you shouldn't do _setcred().

That is a bug in the specification of PAM there really should have been
a separate auth and cred stack.

Darren J Moffat

More information about the openssh-unix-dev mailing list