On Wed, 9 Aug 2000, Max Liccardo wrote: > This is the problem with an external users db. Suppose I have an external > user repository that I can access with username/password only, and I have > an account to read/write into the db. > By my pam module I have to authenticate a user using the external repository > (i.e. radius, tacacs+, an so on...)...so I have a username/password to > connect to my db and a username/password to authenticate. I suppose PAM_USER > is for connecting to the db and PAM_RUSER is the identity of the user I want > to authenticate. > This is the case of radius/NAS: a NAS user could be autheticate by a radius > using an external db: well, I use PAM_RUSER as the identity of the user into > the NAS and PAM_USER to autheticate the PAM_RUSER into my external (oracle, > ldap) repository. This is not the meaning assigned to the tokens. PAM_RUSER is always the name of the remote user who made the request, never the name of the user being authenticated. Sometimes, PAM_RUSER == PAM_USER, but you should never count on this. PAM_RUSER may be useful for informational purposes (logging connections) or where it has bearing on authenticating the user named by PAM_USER (rhosts-style authentication, or RSA rhosts auth for ssh). Beyond that, it has few uses. Does the application give your module the username and password used to authenticate to the external db? Would they be relevant to other modules? If your module gets the username/password from its own configuration file, there's no reason to store this username in one of the PAM_ITEMs: the PAM_ITEMs are there for module<->module and application<->module intercommunication. Steve Langasek postmodern programmer
