RE: [ Bug #129027 ] 0.73: PAM_AUTHTOK behavior

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Because it's a simple, cross-platform interface, and I can change the
backend plugin between pam_db, pam_krb5, pam_mysql, or whatever. I don't see
the need to reinvent the wheel - all it's missing is one spoke :o)

I can come up with a module-driven scheme (multiple page reloads) but it's
ick. I also don't buy the argument that PAM should only be used for
interactive authentication.

But hey, you're the boss. Topic closed.

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: Andrew Morgan [mailto:morgan@transmeta.com]
Sent: 13 February 2001 23:09
To: pam-list@redhat.com
Subject: Re: [ Bug #129027 ] 0.73: PAM_AUTHTOK behavior


"Mayers, Philip J" wrote:
> So, back to my original query:
> 
> What's wrong with code like this:
> 
> pam_set_item(pamh,PAM_AUTHTOK, 'passw0rD');
> pam_authenticate();
> 
> It doesn't work in Pam 0.74 because of sanitisation. I'm only interested
in
> *one* application for this, and that's non-interactive programs which have
a
> username and password combination (think webservers and mail relays).

Think, why are you using PAM for this?

> Clearly you'll sanitise the AUTHTOK on the way out. But on the way *in*?!
I
> know exactly what the reply is - "Binary prompts". But I don't want to use
> that. I want something simple that works, which this does. try_first_pass
> will still work. use_first_pass is an administrator choice.

If you know that the only authentication method you are ever going to
use is password based, why are you going to the trouble of using PAM?

If you want to have a hard coded password authentication and use PAM for
something else, then why not do this:

   if ((my_predefined_authentication() == MY_SUCCESS)
	&& (pam_authenticate() == PAM_SUCCESS) {
       you_are_in();
   } else {
       sorry_permission_denied();
   }

One of the main things with PAM is that the modules drive the process of
authentication. If the admin wants to plug in pam_permit.so then the
user never needs to see a password prompt. What you are trying to do is
tell PAM: here is the password I've decided you need - what control does
an admin have over that?

> <sigh>:o)
> 
> This is never going to happen, is it?

If you can come up with some scheme for getting a module to drive the
request for a password, then it might.

Cheers

Andrew



_______________________________________________

Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux