Hi Benjamin, > I am new to PAM, and I am writing an application in Linux that needs to > authenticate users. So far, I have been successful in authenticating users > by letting the PAM APIs prompt the user to enter their password. However, I > would like users to send their password through an API as instead of > prompting them to enter their password. Can anybody explain if this is > possible and how? > For example, I would like a user to enter from the command line something > like: > $ myapp login [user] passwd [password] > and pass both [user] and [password] to a PAM API that will authenticate the > user with the given password. To be fully PAM-compliant, an application must allow a PAM module to prompt for arbitrary information from the applicant. Not all PAM modules will be satisfied with a single 'password' item. There are cases where this is the only information the application can get from the user, due to protocol restraints; if you find yourself in such a situation, I suggest looking at the conversation function from one of the PAMified pop3 daemons for an example of how to do this. If you aren't subject to this limitation, please consider using the standard PAM conversation function from libpam_misc. PAM is designed to be much more flexible than this, it would be a shame to restrict its usefulness unnecessarily. Regardless, it's a bad idea to take the password as a commandline argument to your program as in the example above. Program arguments and environment variables are globally visible on many Unices, which means it's not secure to transmit passwords by either of these methods. > Second, I noticed in the PAM website that an example application requires > application writers that wish to use PAM to add a couple of lines in the > /etc/pam.conf file that look like this: > [service name] auth required [pam auth library name] > [service name] account required [pam acct library name] This is the responsibility of the administrator, not of the application writer. Linux-PAM (and I believe Solaris PAM as well) has support for a default set of modules (service name 'other') to be used if the specified service name can not be found. RedHat chooses to set a default policy of 'deny', but an administrator can also set a default policy that he/she wants all installed applications to use. > Is it possible to avoid having to do this? I believe that one option is to > provide your own authentication module (library) -- in the same way login, > su, and other Linux apps do --, and link your application to that module. > Are there any other options? Having to provide another library in my > application is the last option, so modifying the pam.conf file is probably > ok, but if there is an option that does not require providing a new library > and changing the pam.conf file, I would be glad to know about it. You would only need to provide a PAM module with your application if your application has custom authentication requirements. Steve Langasek postmodern programmer
