use_first_pass/try_first_pass weirdness
Bug #82740 reported by
Alex Mauer
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pam (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
if the first PAM module in a stack is missing (returns module_unknown), then any following modules which specify use_first_pass will fail because the first module never prompted for a password.
But if try_first_pass is specified instead for subsequent modules (and the first module is not missing), then there may be two Password: prompts displayed, which can be confusing.
This is with feisty.
Revision history for this message
| Simon Law (sfllaw) wrote | #1 |
| Changed in pam: | |
| status: | Unconfirmed → Rejected |
To post a comment you must log in.
According to the documentation athttp:
The module should not prompt the user for a password. Instead, it should obtain the previously typed password (by a call to pam_get_item() for the PAM_AUTHTOK item), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and passwd modules only).
try_first_pass seems to be deprecated as a generic optional argument.
This appears to be working as designed. You may want to talk with the PAM developers upstream to change the specification.
Thanks for your report!