Hi Phil,
The imap and ipop clients from the imap-2000 rpm;
su from sh-utils (and I believe others too), various utilities
in util-linux, proftpd... The format that everyone seems to be following
is:
pw = getpwnam(name);
if(pw) {
pam_start("...", pw->pw_name, ...);
pam_authenticate(...);
...
}
login from login-utils is one of the apps that
seems to do it right.
Part of the problem in some of these utilities is
that they attempt to decide if the operation is disallowed
for reasons other than lack of authentication before trying
to authenticate. For example, chsh will try to determine if
an account is being managed locally or by NIS prior to
authentication; if it is being managed by NIS, then it won't
proceed and suggests ypchsh instead. It checks this by using
getpwnam. This particular example is an attribute-write, so
this may fall into the case that Mark and Nicolas are debating
over.
I've tried to contact the various maintainers of
these packages to determine if they would accept a patch
that uses PAM to determine user-existence, but in general
I've simply encountered silence. I'm also a little bit
concerned because while PAM can be used to check for user
existence (via pam_authenticate()), this may have more side-
effects than desired (e.g. the need to actually authenticate,
etc.).
Regards,
Chris
"Mayers, Philip J" wrote:
>
> I believe, strictly speaking, that's an application error - the application
> should call PAM *before* any NSS calls if at all possible, exactly for this
> reason. Last I checked, most didn't - which breaks Kerberos template users
> (and any other username-rewriting)
>
> The "correct" solution here is to fix the app, if at all possible - which
> applications are you using?
>
> Regards,
> Phil
>
> +----------------------------------+
> | Phil Mayers, Network Support |
> | Centre for Computing Services |
> | Imperial College |
> +----------------------------------+
>
