| Subject: | PAM_AUTHTOK/OLDAUTHTOK |
| Date: | Fri, 13 Sep 2013 23:00:23 +0100 |
| To: | bug-Authen-PAM [...] rt.cpan.org |
| From: | Ben Morrow <ben [...] morrow.me.uk> |
The Authen::PAM FAQ states that PAM_AUTHTOK and PAM_OLDAUTHTOK are not
provided because PAM applications are not supposed to use them. However,
the XSSO PAM spec actually only says applications may not call
pam_get_item; calling pam_set_item is allowed, since it doesn't disclose
any passwords.
Linux-PAM disallows both, in violation of the spec, but both OpenPAM
(the BSDs) and Solaris-PAM allow pam_set_item with PAM_{,OLD}AUTHTOK, so
Authen::PAM should provide the constants. This makes it possible to
check and change passwords noninteractively, without using heuristics in
the conversation function or hacks in the module stack.
Ben