Hi,
Yassir who was going through the PAM code recently pointed out two strange issues with the PAM responder's usage of negative cache. Please see the attached patches for more details, but simplified version is:
1) The negative cache was only ever checked for domainless searches 2) The negative cache was only checked, never set
I don't think this is a pressing issue because in most occasions, the negative cache would be hit by the application calling getpwnam() and so the PAM responder would not be called at all, but I think the code should at least be consistent.
The alternative is of course to stop using negative cache in the PAM respnder completely, but I think it has some benefit if the application would only call the PAM conversation.
On 08/07/2013 12:04 PM, Jakub Hrozek wrote:
Hi,
Yassir who was going through the PAM code recently pointed out two strange issues with the PAM responder's usage of negative cache. Please see the attached patches for more details, but simplified version is:
- The negative cache was only ever checked for domainless searches
- The negative cache was only checked, never set
I don't think this is a pressing issue because in most occasions, the negative cache would be hit by the application calling getpwnam() and so the PAM responder would not be called at all, but I think the code should at least be consistent.
The alternative is of course to stop using negative cache in the PAM respnder completely, but I think it has some benefit if the application would only call the PAM conversation.
Both patches apply cleanly and fix the issue
Ack to both
On Wed, Aug 07, 2013 at 01:37:21PM +0200, Ondrej Kos wrote:
On 08/07/2013 12:04 PM, Jakub Hrozek wrote:
Hi,
Yassir who was going through the PAM code recently pointed out two strange issues with the PAM responder's usage of negative cache. Please see the attached patches for more details, but simplified version is:
- The negative cache was only ever checked for domainless searches
- The negative cache was only checked, never set
I don't think this is a pressing issue because in most occasions, the negative cache would be hit by the application calling getpwnam() and so the PAM responder would not be called at all, but I think the code should at least be consistent.
The alternative is of course to stop using negative cache in the PAM respnder completely, but I think it has some benefit if the application would only call the PAM conversation.
Both patches apply cleanly and fix the issue
Ack to both
Pushed to master.
sssd-devel@lists.fedorahosted.org