[Pkg-shadow-devel] Bug#498788: Bug#498788: last login fails

Tobias S. Josefowitz tobij at goodadvice.pages.de
Thu Sep 18 14:30:36 UTC 2008

On Wed, 17 Sep 2008, Nicolas François wrote:

> On Wed, Sep 17, 2008 at 12:06:39PM +0200, tobij at goodadvice.pages.de wrote:
> Is there a need to differentiate the PAM maximum retries and the
> login.defs one?
> I would prefer to merge both check/messages.

That does not seem easily possible.

Short: failcount >= retries is known before pam_authenticate(), 
PAM_MAXTRIES only afterwards.


PAM returns PAM_MAXTRIES if the call to pam_authenticate() is the last 
possible because of PAMs very own counters and does not lead to 
PAM_SUCCESS (because of wrong credentials and the like.)

In the case of failcount >= retries however, we already know that we'll 
bail out because of "Number of tries exceeded", so there is no point in 
letting the user enter his credentials (and checking them against PAM) 
just to throw him out either way afterwards.

I currently do not see an *elegant* unified check for both cases.

Kind regards,

More information about the Pkg-shadow-devel mailing list