And for apps like XDM or loginwinsow where the app prompts for a username AND a password before callin pam_authenticate, it would be useful to be able to pam_set_item(PAM_AUTHTOK). I have such an app. I cannot change it, but it can load library for handling authentication, so we've made such a library, based on PAM, that provides the necessary methods to the app. The library does provide a conversation function and it can prompt the user, but, currently the user prompted for her password AGAIN after typing it in once in the original xdm-like login panel. Nico On Thu, Feb 15, 2001 at 10:10:49AM -0000, Mayers, Philip J wrote: > Because it's a simple, cross-platform interface, and I can change the > backend plugin between pam_db, pam_krb5, pam_mysql, or whatever. I don't see > the need to reinvent the wheel - all it's missing is one spoke :o) > > I can come up with a module-driven scheme (multiple page reloads) but it's > ick. I also don't buy the argument that PAM should only be used for > interactive authentication. > > But hey, you're the boss. Topic closed. > > Regards, > Phil > > +----------------------------------+ > | Phil Mayers, Network Support | > | Centre for Computing Services | > | Imperial College | > +----------------------------------+ > > -----Original Message----- > From: Andrew Morgan [mailto:morgan@transmeta.com] > Sent: 13 February 2001 23:09 > To: pam-list@redhat.com > Subject: Re: [ Bug #129027 ] 0.73: PAM_AUTHTOK behavior > > > "Mayers, Philip J" wrote: > > So, back to my original query: > > > > What's wrong with code like this: > > > > pam_set_item(pamh,PAM_AUTHTOK, 'passw0rD'); > > pam_authenticate(); > > > > It doesn't work in Pam 0.74 because of sanitisation. I'm only interested > in > > *one* application for this, and that's non-interactive programs which have > a > > username and password combination (think webservers and mail relays). > > Think, why are you using PAM for this? > > > Clearly you'll sanitise the AUTHTOK on the way out. But on the way *in*?! > I > > know exactly what the reply is - "Binary prompts". But I don't want to use > > that. I want something simple that works, which this does. try_first_pass > > will still work. use_first_pass is an administrator choice. > > If you know that the only authentication method you are ever going to > use is password based, why are you going to the trouble of using PAM? > > If you want to have a hard coded password authentication and use PAM for > something else, then why not do this: > > if ((my_predefined_authentication() == MY_SUCCESS) > && (pam_authenticate() == PAM_SUCCESS) { > you_are_in(); > } else { > sorry_permission_denied(); > } > > One of the main things with PAM is that the modules drive the process of > authentication. If the admin wants to plug in pam_permit.so then the > user never needs to see a password prompt. What you are trying to do is > tell PAM: here is the password I've decided you need - what control does > an admin have over that? > > > <sigh>:o) > > > > This is never going to happen, is it? > > If you can come up with some scheme for getting a module to drive the > request for a password, then it might. > > Cheers > > Andrew > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list --
