pam_setcred() without pam_authenticate()?
Simon Wilkinson
sxw at inf.ed.ac.uk
Thu Jun 5 07:54:12 EST 2003
On Wed, 4 Jun 2003, Frank Cusack wrote:
> Should pam_setcred() be called if pam_authenticate() wasn't called?
> I would say not; both of these functions are in the authenticate
> part of pam.
>
> It seems the the 'auth' part of pam config controls which modules get
> called, so if you didn't to _authenticate() you shouldn't do _setcred().
Some modules use calls to pam_setcred to store credentials to disk, based
on other authentication credentials obtained earlier in the process. For
example, to gain AFS credentials based on Kerberos credentials.
If you've obtained Kerberos credentials through a route other than PAM
(ie through Kerberos ticket passing), then having this call to pam_setcred
not depend on having called pam_authenticate is really useful.
Cheers,
Simon.
More information about the openssh-unix-dev
mailing list