Disabling auth fallback to PAM
martin f krafft
madduck at madduck.net
Sat Nov 21 06:12:13 UTC 2015
also sprach Timo Sirainen <tss at iki.fi> [2015-11-21 14:14 +1300]:
> Well, your topic is PAM.
Is it? My point is that PAM should not even be asked if an
authentication source beforehand knows about a user but the password
cannot be verified.
> But.. Right now passdb has result_success, result_failure and
> result_internalfail. I suppose it should be possible to add
> result_user_unknown there that defaults to result_failure if it's
> not explicitly set.
result_user_known should be resturned when the authentication source
does not know about a user.
If the authentication source knows a user but fails to authenticate
him/her due to a password mismatch, the result should rather be
result_auth_failure.
Those two should really replace result_failure and the dovecot
authentication stack should only continue on result_user_known or
result_internalfail. If we get result_success or
result_auth_failure, then authentication is done and no further
sources should be considered.
--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
only by counting could humans demonstrate
their independence of computers.
-- douglas adams, "the hitchhiker's guide to the galaxy"
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://dovecot.org/pipermail/dovecot/attachments/20151121/2b9af75f/attachment.sig>
More information about the dovecot
mailing list