[Pkg-shadow-devel] Bug#498788: Bug#498788: last login fails
Tobias S. Josefowitz
tobij at goodadvice.pages.de
Thu Sep 18 14:30:36 UTC 2008
On Wed, 17 Sep 2008, Nicolas François wrote:
> On Wed, Sep 17, 2008 at 12:06:39PM +0200, tobij at goodadvice.pages.de wrote:
> Is there a need to differentiate the PAM maximum retries and the
> login.defs one?
> I would prefer to merge both check/messages.
That does not seem easily possible.
Short: failcount >= retries is known before pam_authenticate(),
PAM_MAXTRIES only afterwards.
PAM returns PAM_MAXTRIES if the call to pam_authenticate() is the last
possible because of PAMs very own counters and does not lead to
PAM_SUCCESS (because of wrong credentials and the like.)
In the case of failcount >= retries however, we already know that we'll
bail out because of "Number of tries exceeded", so there is no point in
letting the user enter his credentials (and checking them against PAM)
just to throw him out either way afterwards.
I currently do not see an *elegant* unified check for both cases.
More information about the Pkg-shadow-devel