Because it's a simple, cross-platform interface, and I can change the backend plugin between pam_db, pam_krb5, pam_mysql, or whatever. I don't see the need to reinvent the wheel - all it's missing is one spoke :o) I can come up with a module-driven scheme (multiple page reloads) but it's ick. I also don't buy the argument that PAM should only be used for interactive authentication. But hey, you're the boss. Topic closed. Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Andrew Morgan [mailto:morgan@transmeta.com] Sent: 13 February 2001 23:09 To: pam-list@redhat.com Subject: Re: [ Bug #129027 ] 0.73: PAM_AUTHTOK behavior "Mayers, Philip J" wrote: > So, back to my original query: > > What's wrong with code like this: > > pam_set_item(pamh,PAM_AUTHTOK, 'passw0rD'); > pam_authenticate(); > > It doesn't work in Pam 0.74 because of sanitisation. I'm only interested in > *one* application for this, and that's non-interactive programs which have a > username and password combination (think webservers and mail relays). Think, why are you using PAM for this? > Clearly you'll sanitise the AUTHTOK on the way out. But on the way *in*?! I > know exactly what the reply is - "Binary prompts". But I don't want to use > that. I want something simple that works, which this does. try_first_pass > will still work. use_first_pass is an administrator choice. If you know that the only authentication method you are ever going to use is password based, why are you going to the trouble of using PAM? If you want to have a hard coded password authentication and use PAM for something else, then why not do this: if ((my_predefined_authentication() == MY_SUCCESS) && (pam_authenticate() == PAM_SUCCESS) { you_are_in(); } else { sorry_permission_denied(); } One of the main things with PAM is that the modules drive the process of authentication. If the admin wants to plug in pam_permit.so then the user never needs to see a password prompt. What you are trying to do is tell PAM: here is the password I've decided you need - what control does an admin have over that? > <sigh>:o) > > This is never going to happen, is it? If you can come up with some scheme for getting a module to drive the request for a password, then it might. Cheers Andrew _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
