"Mayers, Philip J" wrote:
> So, back to my original query:
>
> What's wrong with code like this:
>
> pam_set_item(pamh,PAM_AUTHTOK, 'passw0rD');
> pam_authenticate();
>
> It doesn't work in Pam 0.74 because of sanitisation. I'm only interested in
> *one* application for this, and that's non-interactive programs which have a
> username and password combination (think webservers and mail relays).
Think, why are you using PAM for this?
> Clearly you'll sanitise the AUTHTOK on the way out. But on the way *in*?! I
> know exactly what the reply is - "Binary prompts". But I don't want to use
> that. I want something simple that works, which this does. try_first_pass
> will still work. use_first_pass is an administrator choice.
If you know that the only authentication method you are ever going to
use is password based, why are you going to the trouble of using PAM?
If you want to have a hard coded password authentication and use PAM for
something else, then why not do this:
if ((my_predefined_authentication() == MY_SUCCESS)
&& (pam_authenticate() == PAM_SUCCESS) {
you_are_in();
} else {
sorry_permission_denied();
}
One of the main things with PAM is that the modules drive the process of
authentication. If the admin wants to plug in pam_permit.so then the
user never needs to see a password prompt. What you are trying to do is
tell PAM: here is the password I've decided you need - what control does
an admin have over that?
> <sigh>:o)
>
> This is never going to happen, is it?
If you can come up with some scheme for getting a module to drive the
request for a password, then it might.
Cheers
Andrew
