Hi,
Yassir who was going through the PAM code recently pointed out two
strange issues with the PAM responder's usage of negative cache. Please
see the attached patches for more details, but simplified version is:
1) The negative cache was only ever checked for domainless searches
2) The negative cache was only checked, never set
I don't think this is a pressing issue because in most occasions, the
negative cache would be hit by the application calling getpwnam() and so
the PAM responder would not be called at all, but I think the code
should at least be consistent.
The alternative is of course to stop using negative cache in the PAM
respnder completely, but I think it has some benefit if the application
would only call the PAM conversation.