Hi "Andreas B. Mundt" <a...@debian.org> writes:
> Control: tags -1 + patch > > Hi, > > I think the patch below should address the issue. I am not completely > sure about the "*-Type: Additional", but from [1] and [2] and the > links there I think it should be as below. > > This modification follows the principle of 'least surprise': Neither > you are loged in without password as before with 'sufficient' and an > arbitrary script exiting 0, nor you are unable to log in which > might happen with 'required' and a script exiting non-zero. So I > guess this is a good default. > > CC Gaudenz to allow for his input/comments too. Thanks for CCing me. I was not aware of your bug report before. IMO the proposed patch is wrong. If your pam script is not intended to authenticate users, then don't use it in the authentication phase. If the script is used to mount network shares or similar things, put it into the session phase. Having auth scripts be optional by default, just leads to a situation were everyone that want's to use a script for authentication has to modify the pam configuration as this default most certainly won't be right for his case. If you want to change the default, then better change it to required, but this has the disatvantage you discribed of fatal failures. Regards, Gaudenz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
