use_first_pass/try_first_pass weirdness
Bug #82740 reported by
Alex Mauer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
if the first PAM module in a stack is missing (returns module_unknown), then any following modules which specify use_first_pass will fail because the first module never prompted for a password.
But if try_first_pass is specified instead for subsequent modules (and the first module is not missing), then there may be two Password: prompts displayed, which can be confusing.
This is with feisty.
To post a comment you must log in.
According to the documentation athttp: //www.kernel. org/pub/ linux/libs/ pam/Linux- PAM-html/ mwg-see- options. html
The module should not prompt the user for a password. Instead, it should obtain the previously typed password (by a call to pam_get_item() for the PAM_AUTHTOK item), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and passwd modules only).
try_first_pass seems to be deprecated as a generic optional argument.
This appears to be working as designed. You may want to talk with the PAM developers upstream to change the specification.
Thanks for your report!