unknown
1970-01-01 00:00:00 UTC
When given the argument try_first_pass, before prompting the user
for their password, the module first tries the previous stacked
auth-module's password in case that satisfies this module as
well. The argument use_first_pass forces the module to use such a
recalled password and will never prompt the user - if no password is
available or the password is not appropriate, the user will be
denied access.
[...]
The argument use_first_pass is used to lock the choice of old and
new passwords to that dictated by the previously stacked password
module. The try_first_pass argument is used to avoid the user having
to re-enter an old password when pam_unix follows a module that
possibly shared the user's old password - if this old password is
not correct the user will be prompted for the correct one.
Thus, I'm quite sure try_first_pass is the correct argument in most of
the cases.
The situation is different if PAM uses the pam_unix2.so module. In
fact, from `man pam_unix2.so`:
use_first_pass
The default is, that pam_unix2 tries to get the authentication
token from a previous module. If no token is available, the user
is asked for the old password. With this option, pam_unix2 aborts
with an error if no authentication token from a pre=E2=80=90 vious modu=
le
is available.
Thus, pam_unix2.so doesn't have try_first_pass because its behavior is
enabled by default (I tested it on a Debian etch).
However, with both pam_unix and pam_unix2, trying to login with an
incorrect password at the first prompt gives a login failed instead or
the expected "Password: " prompt, thus I guess there's a bug in the
way pam_thinkfinger manages the password input. IMHO this is a minor
bug.
Finally, here the patch for README ;-)
=2D-8<---------------cut here---------------start------------->8---
Index: README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- README (revision 43)
+++ README (working copy)
@@ -54,7 +54,7 @@
=20
In order to use pam_thinkfinger, PAM needs to be aware of the module. To
achieve this please edit '/etc/pam.d/common-auth'. You are required to add
=2Dthe following directive:
+the following directive before any pam_unix or pam_unix2 directives:
=20
auth sufficient pam_thinkfinger.so
=20
@@ -70,6 +70,20 @@
On some systems it is required to execute 'tf-init' once to initialize the
fingerprint reader.
=20
+Notes:
+
+If your PAM uses the pam_unix module, you need to pass a specific argument=
in
+the /etc/pam.d/common-auth directive:
+
+ auth required pam_unix.so try_first_pass
+
+Otherwise, the password entered at the pam_thinkfinger prompt is not consi=
dered
+by pam_unix. This is only the case for pam_unix, because pam_unix2
+automatically enables the try_first_pass argument by default. More inform=
ation
+are available in the Linux-PAM documentation at:
+
+ http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_unix.html
+
PAM Compatibility
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
=2D-8<---------------cut here---------------end--------------->8---
Thx, bye,
Gismo / Luca
Footnotes:=20
[1] http://lists.debian.org/debian-devel/2007/01/msg00765.html
[2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_unix.ht=
ml
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFFuLO/VAp7Xm10JmkRAtCxAJQISr6UEYYJvVGirV5sksig6g84AJ9EMHzL
y3CbkETFy0BE7bM6Hyav4w==
=V6jO
-----END PGP SIGNATURE-----
--=-=-=--
for their password, the module first tries the previous stacked
auth-module's password in case that satisfies this module as
well. The argument use_first_pass forces the module to use such a
recalled password and will never prompt the user - if no password is
available or the password is not appropriate, the user will be
denied access.
[...]
The argument use_first_pass is used to lock the choice of old and
new passwords to that dictated by the previously stacked password
module. The try_first_pass argument is used to avoid the user having
to re-enter an old password when pam_unix follows a module that
possibly shared the user's old password - if this old password is
not correct the user will be prompted for the correct one.
Thus, I'm quite sure try_first_pass is the correct argument in most of
the cases.
The situation is different if PAM uses the pam_unix2.so module. In
fact, from `man pam_unix2.so`:
use_first_pass
The default is, that pam_unix2 tries to get the authentication
token from a previous module. If no token is available, the user
is asked for the old password. With this option, pam_unix2 aborts
with an error if no authentication token from a pre=E2=80=90 vious modu=
le
is available.
Thus, pam_unix2.so doesn't have try_first_pass because its behavior is
enabled by default (I tested it on a Debian etch).
However, with both pam_unix and pam_unix2, trying to login with an
incorrect password at the first prompt gives a login failed instead or
the expected "Password: " prompt, thus I guess there's a bug in the
way pam_thinkfinger manages the password input. IMHO this is a minor
bug.
Finally, here the patch for README ;-)
=2D-8<---------------cut here---------------start------------->8---
Index: README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2D-- README (revision 43)
+++ README (working copy)
@@ -54,7 +54,7 @@
=20
In order to use pam_thinkfinger, PAM needs to be aware of the module. To
achieve this please edit '/etc/pam.d/common-auth'. You are required to add
=2Dthe following directive:
+the following directive before any pam_unix or pam_unix2 directives:
=20
auth sufficient pam_thinkfinger.so
=20
@@ -70,6 +70,20 @@
On some systems it is required to execute 'tf-init' once to initialize the
fingerprint reader.
=20
+Notes:
+
+If your PAM uses the pam_unix module, you need to pass a specific argument=
in
+the /etc/pam.d/common-auth directive:
+
+ auth required pam_unix.so try_first_pass
+
+Otherwise, the password entered at the pam_thinkfinger prompt is not consi=
dered
+by pam_unix. This is only the case for pam_unix, because pam_unix2
+automatically enables the try_first_pass argument by default. More inform=
ation
+are available in the Linux-PAM documentation at:
+
+ http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_unix.html
+
PAM Compatibility
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
=2D-8<---------------cut here---------------end--------------->8---
Thx, bye,
Gismo / Luca
Footnotes:=20
[1] http://lists.debian.org/debian-devel/2007/01/msg00765.html
[2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_unix.ht=
ml
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFFuLO/VAp7Xm10JmkRAtCxAJQISr6UEYYJvVGirV5sksig6g84AJ9EMHzL
y3CbkETFy0BE7bM6Hyav4w==
=V6jO
-----END PGP SIGNATURE-----
--=-=-=--