Lazyweb, I have PAM questions.
I added support for PAM to XScreenSaver in 1998, when PAM itself was a little two-year-old baby. Your keyboard was still PS2 and HDMI hadn’t been invented yet. For lo these many decades, nobody could agree on what went in /etc/pam.conf or /etc/pam.d/login and it was all a giant mess.
Things that used to sometimes be true:
If /etc/pam.d/xscreensaver didn’t exist you couldn’t unlock the screen at all.“cp /etc/pam.d/login /etc/pam.d/xscreensaver” was insufficient, some lines had to be *omitted.*You have to call pam_chauthtok() or an unauthorized user might be able to unlock.No, if you call pam_chauthtok() it will always fail so don’t do that.No wait, actually you have to call pam_chauthtok() because it has side effects but you have to ignore its failure.You have to PAM_REFRESH_CRED every time.No wait, that doesn’t work, you have to PAM_REINITIALIZE_CRED every time instead. But not on Solaris.
I could not even hazard a guess as to which of these things are still true, or how many decades ago they stopped being true, or which of them are influenced by Linux versus BSD versus Solaris versus HPUX versus AIX versus Kerberos or other things that nobody cares about any more.
So I am considering making the following changes:
Always call pam_chauthtok() and respect its result status. I think sshd does this.Remove the configure option --enable-pam-check-account-type (which probably should always have been a runtime option, not a compile-time option, but here we are).At installation time, create /etc/pam.d/xscreensaver as a file containing the single line “@include login”
What I would like to know is: will this break things on your system? Particular emphasis for this question on people running weird-assed obscure systems.
From jwz via this RSS feed