On Tue, Jan 15, 2002 at 10:23:14AM +0100, Thorsten Kukuk wrote: > I have an application, which uses PAM for user authentication. > But now I need later the current clear password of the User to > change some user informations on a remote side over NIS, NIS+ or > LDAP. > It is stupid to ask the user a second time for the password. > pam_get_item (pamh, PAM_OLDAUTHTOK, ...); does not work from > the application, is there another way to access the data? > I could write my own conversion function and parse the strings, > but I don't think that this is a really good idea. Three things that I have seen done in the past: * create a separate PAM (session) module that accesses the AUTHTOK and uses it to do whatever you need done (or to at least set up the connection for the app to use). * use pam_setcred() to export some reusable credentials to the application; primarily useful for Kerberos and similar authentication systems. * there is a PAM auth module, discussed here about a year ago, that lets an application writer pre-load a password for use by the PAM stack. This way you can do your own password prompting, give PAM a copy of the password, and reuse the password for the application's purposes. You specifically mention PAM_OLDAUTHTOK here. Is this operation on the remote (NIS, LDAP, etc.) server a password-changing one? If so, doesn't option 1 make the most sense? Steve Langasek postmodern programmer
Attachment:
pgp00027.pgp
Description: PGP signature
