Re: Patch to include PAM support...

Dominic J. Eidson writes:

> > if your PAM setup is that you require exactly one password from the user.
> > But if the PAM setup does not require a password (Kerberos, rhosts
> > modules?) it would involve a useless exchange (and possibly prompt) for a
>
> This works fine - if it doesn't require a password, it won't get to the
> "password prompt" step inside the conversation function, and ends up just
> returning "success".

In the patch I'm looking at, the conversation function doesn't do any
actual "prompting", it looks at the password that has previously been
obtained by way of the password packet exchange. If no password is
required, the password is never looked at, but still obtained. That by
itself causes psql to print a password prompt.

Perhaps this could work: In the switch in be_recvauth(), you call the
pam_authenticate() and friends and if the sequence passes you report back
"OK". In the conversation function -- if it gets called -- send a
password packet and store the answer packet. You might have to play some
tricks here to obtain the answer packet, though.

> In all of the other remote authentication pieces that I have worked
> with/used (radius, tacacs, etc) - if your password is in need to be
> changed and/or expired - your authentication just fails.

Alright.

--
Peter Eisentraut peter_e(at)gmx(dot)net http://funkturm.homeip.net/~peter