Hi, On Tue, Jan 15, Steve Langasek wrote: > On Tue, Jan 15, 2002 at 10:23:14AM +0100, Thorsten Kukuk wrote: > > > I have an application, which uses PAM for user authentication. > > But now I need later the current clear password of the User to > > change some user informations on a remote side over NIS, NIS+ or > > LDAP. > > > It is stupid to ask the user a second time for the password. > > > pam_get_item (pamh, PAM_OLDAUTHTOK, ...); does not work from > > the application, is there another way to access the data? > > I could write my own conversion function and parse the strings, > > but I don't think that this is a really good idea. > > Three things that I have seen done in the past: > > * create a separate PAM (session) module that accesses the AUTHTOK and > uses it to do whatever you need done (or to at least set up the > connection for the app to use). > * use pam_setcred() to export some reusable credentials to the > application; primarily useful for Kerberos and similar authentication > systems. > * there is a PAM auth module, discussed here about a year ago, that lets > an application writer pre-load a password for use by the PAM stack. > This way you can do your own password prompting, give PAM a copy of > the password, and reuse the password for the application's purposes. > > You specifically mention PAM_OLDAUTHTOK here. Is this operation on the > remote (NIS, LDAP, etc.) server a password-changing one? If so, doesn't > option 1 make the most sense? Password-changing could be done with pam_sm_chauthtok, this is no problem and works fine. I try to merge the different chsh/chfn versions into one, which is able to change the shell/gecos information for user without the need for the user to know where is data is stored and which program to use. I wish to do the normal, necessary authentication with PAM and then change the information on the remote side. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Deutschherrenstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
Attachment:
pgp00028.pgp
Description: PGP signature
