On Tue, Jan 15, 2002 at 09:24:08PM +0100, Thorsten Kukuk wrote: > On Tue, Jan 15, Steve Langasek wrote: > > Three things that I have seen done in the past: > > > > * create a separate PAM (session) module that accesses the AUTHTOK and > > uses it to do whatever you need done (or to at least set up the > > connection for the app to use). > > * use pam_setcred() to export some reusable credentials to the > > application; primarily useful for Kerberos and similar authentication > > systems. > > * there is a PAM auth module, discussed here about a year ago, that lets > > an application writer pre-load a password for use by the PAM stack. > > This way you can do your own password prompting, give PAM a copy of > > the password, and reuse the password for the application's purposes. > > You specifically mention PAM_OLDAUTHTOK here. Is this operation on the > > remote (NIS, LDAP, etc.) server a password-changing one? If so, doesn't > > option 1 make the most sense? > Password-changing could be done with pam_sm_chauthtok, this is no > problem and works fine. > I try to merge the different chsh/chfn versions into one, which is > able to change the shell/gecos information for user without the need > for the user to know where is data is stored and which program to use. > I wish to do the normal, necessary authentication with PAM and then > change the information on the remote side. Ok, that definitely points to either #2 or #3. Since you're probably looking for a general solution that works with existing infrastructure without dependencies on things like SASL & GSSAPI, #3 seems best here. Cheers, Steve Langasek postmodern programmer
Attachment:
pgp00029.pgp
Description: PGP signature
