-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 29/06/13 09:44, Tollef Fog Heen wrote: > ]] Jerome BENOIT > > >> Nevertheless, a less egocentric reading of the PAM policy let me guess that >> the priority may be higher but less than 256 (``local authentication''); >> for the lower bound, as it makes sense that a ``strong measures'' module >> needs a relevant effective TMPDIR, I guess that the priority must be strictly >> greater then 128. On the other hand, libpam-tmdir may implicitly need some >> prerequirements while postrequirements may be needed as well: >> rooms must be provided before and after. Therefrom, a priority of >> >> 128+(256-128)/2=192 >> >> for libpam-tmpdir sounds reasonable wrt the Ubuntu documents cited above. > > I agree that the priority should probably be higher, but I don't think > your reasoning holds, since it's not an authentication module, it's a > session module, so any priority change won't really help you, if you do > your work in the auth phase (which I think you are?). Let me to be egocentric again. pam_ssh(8) has both `auth' and `session' features: the SSH agent is initiated during the `session' part. In my current working `/etc/pam.d/login', I read: [...] @include common-session session optional pam_ssh.so [...] And the last pam-config file libpam-ssh is: - --8><--------------------------------------------------- Name: Authenticate using SSH keys and start ssh-agent Default: yes Priority: 64 Auth-Type: Additional Auth: optional pam_ssh.so use_first_pass Session-Interactive-Only: yes Session-Type: Additional Session-Final: optional pam_ssh.so - ------------------------------------------------><8----- So, it is certainly the Session-Final that may be split: a pre-pam-tmpdir part and a post-pam-tmpdir one. > >> Do you plane to fix this issue soon ? > > I wasn't planning on changing it until we have some reasonable specs to > go by, so we don't have uncoordinated priorities being set. > This sounds reasonable: to which door may we knock in view to clarify the point ? Best wishes, Jerome -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRzqTmAAoJEIC/w4IMSybj+PUIAIGRzCq5eRktlxRT6jDHAOMf 1KhG2ZjrgIVXgiVR5vGihU+J1Lb8HVoYQIov1Wox4aN+Z5n5GzfRadiubQKohWIA LhSPwkaFQgBVvSa6kLxPp1quZndWUcUJIqB+h+IpnuIwNxGULMQmjlyJWI9S0GfJ oDeb+zxi6KbYxrXXgD4s2w81AJ9zhn/hSkGqNFe2ts9CvuvKA14ehF/D3bABnFWo iLGFx8sFZeSWkhPsSdp2PbbSL/UXcyjCfVtf7/zcsEPF8/vVDDEHu2qj7h+L/MCG 2fccYvmGCJaUcJMZ4XjYZGU8fmBZS8w5NNnNrSkhjJDkGRBBSgThpT7edmrcyw0= =4A6j -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
