On Sat, 7 Oct 2000, Dustin Puryear wrote: > Hello, I have written a PAM (should I say "PAM" or "PAM module"?) that > will send an alert when a given user logs into the system. However, I am > a bit confused as to how to configure when the module should be used by > PAM. > I want the module to only run if the user has already been > authenticated. At first I considered using the following as the > configuration line: > auth optional /lib/security/pam_login_alert.so > But that will generate an alert even if the user is not authenticated > via pam_unix.so or something similar. (My module returns PAM_IGNORE.) > I then considered using the module only when a session is opened via: > session optional /lib/security/pam_login_alert.so > But I'm not sure if every application will actually open a session. This > means that the module may not be invoked even if the user is actually > authenticated for the service. > What is the best way to do this? Suggestions are appreciated. Hello Dustin, You are correct that not all PAM services will call pam_open_session(), as this doesn't make sense for all services. I would suggest that this module is most useful if it can be called in any of auth, acct, or session. This would give flexibility wrt different PAM apps. You might try this config for the authentication section: auth requisite /lib/security/pam_unix.so auth optional /lib/security/pam_login_alert.so The 'requisite' label tells PAM to not process anything past that point in the stack if pam_unix.so fails. Personally, I'd say the "right" way to do this is to use your module in the 'session' stack if possible, and in the 'acct' stack if the session functions aren't called. HTH, Steve Langasek postmodern programmer
