Bug 951 - tl-passwd/tl-pam-passwd architecture is unreliable
Summary: tl-passwd/tl-pam-passwd architecture is unreliable
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.3.2
Hardware: PC Linux
: P2 Enhancement
Target Milestone: 4.13.0
Assignee: Peter Åstrand
Keywords: interesting_210
Depends on:
Blocks: 4562
  Show dependency treegraph
Reported: 2004-11-03 10:18 CET by Peter Åstrand
Modified: 2021-04-29 08:09 CEST (History)
0 users

See Also:
Acceptance Criteria:


Description Peter Åstrand cendio 2004-11-03 10:18:43 CET
tl-pam-passwd currently tries to "parse" the PAM prompts, and find out what
prompt is the prompt for the old password, what prompt is the prompt for the new
passwords etc. This usually works, but has several drawbacks. PAM is, by
definition, an interactive system. It's not possible to have a program
"interpret" the prompts in a reliable way. A much more straightforward approach
would be to pass the PAM prompts directly up to the GUI. 

One drawback with this approach is that PAM is not normally translated. We could
solve this by having tl-passwd translate strings from well-known PAM modules,
such as pam_ldap. That should work good-enough. 

One advantage with this approach is that we will no longer need to call
lsh-pam-checkpw from tl-passwd. Currently, you might up in a situation where you
can login, but not change the password.
Comment 2 Erik Forsberg cendio 2008-04-16 11:27:50 CEST
Hmm.. Perhaps we should reconsider tl-passwd completely now when we have better client support for password changes (bug 2640, bug 1108, bug 2760)? Depends a bit on if it's possible to make all pam modules use keyboard interactive for example for grace login support. 

If we decide to keep tl-passwd, without trying to translate, we still need to know which prompt response is the new password, to be able to update the SSO info. Perhaps the same regexp-solution as the client uses would work? 
Comment 4 Pierre Ossman cendio 2021-04-29 08:09:33 CEST
tl-passwd has been removed from the product.

Note You need to log in before you can comment on or make changes to this bug.