</citerefentry> interface.
</para>
<para>
- This function is used to (re-)set the authentication token of the user.
+ This function is used to (re-)set the authentication token of the user.
</para>
<para>
Valid flags, which may be logically OR'd with
<listitem>
<para>
This argument indicates to the module that the users
- authentication token (password) should only be changed if
- it has expired. This flag is optional and
- <emphasis>must</emphasis> be combined with one of the
- following two flags. Note, however, the following two options
+ authentication token (password) should only be changed if
+ it has expired. This flag is optional and
+ <emphasis>must</emphasis> be combined with one of the
+ following two flags. Note, however, the following two options
are <emphasis>mutually exclusive</emphasis>.
</para>
</listitem>
<term>PAM_PRELIM_CHECK</term>
<listitem>
<para>
- This indicates that the modules are being probed as to
- their ready status for altering the user's authentication
- token. If the module requires access to another system over
- some network it should attempt to verify it can connect to
- this system on receiving this flag. If a module cannot establish
- it is ready to update the user's authentication token it should
+ This indicates that the modules are being probed as to
+ their ready status for altering the user's authentication
+ token. If the module requires access to another system over
+ some network it should attempt to verify it can connect to
+ this system on receiving this flag. If a module cannot establish
+ it is ready to update the user's authentication token it should
return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
information will be passed back to the application.
</para>
+ <para>
+ If the control value <emphasis>sufficient</emphasis> is used in
+ the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
+ of the modules following that control value is not always executed.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<para>
This informs the module that this is the call it should change
the authorization tokens. If the flag is logically OR'd with
- <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
+ <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
token is only changed if it has actually expired.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
- The PAM library calls this function twice in succession. The first
- time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
- if the module does not return
+ The PAM library calls this function twice in succession. The first
+ time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
+ if the module does not return
<emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
- <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
+ <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
the second call that the authorization token is (possibly) changed.
</para>
</refsect1>
}
/*
- * use_cached_chain is how we ensure that the setcred/close_session
- * and chauthtok(2) modules are called in the same order as they did
- * when they were invoked as auth/open_session/chauthtok(1). This
- * feature was added in 0.75 to make the behavior of pam_setcred
- * sane. It was debugged by release 0.76.
+ * use_cached_chain is how we ensure that the setcred and
+ * close_session modules are called in the same order as they did
+ * when they were invoked as auth/open_session. This feature was
+ * added in 0.75 to make the behavior of pam_setcred sane.
*/
if (use_cached_chain != _PAM_PLEASE_FREEZE) {
break;
case PAM_CHAUTHTOK:
h = pamh->handlers.conf.chauthtok;
- if (flags & PAM_UPDATE_AUTHTOK) {
- use_cached_chain = _PAM_MUST_BE_FROZEN;
- }
break;
default:
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
projects / linux-pam / commitdiff