Re: Applications and PAM_OLDAUTHTOK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 16, 2002 at 10:57:50AM +0100, Thorsten Kukuk wrote:
> On Tue, Jan 15, Steve Langasek wrote:
> 
> > > Password-changing could be done with pam_sm_chauthtok, this is no
> > > problem and works fine.
> > 
> > > I try to merge the different chsh/chfn versions into one, which is
> > > able to change the shell/gecos information for user without the need
> > > for the user to know where is data is stored and which program to use.

> > > I wish to do the normal, necessary authentication with PAM and then
> > > change the information on the remote side.

> > Ok, that definitely points to either #2 or #3.  Since you're probably 
> > looking for a general solution that works with existing infrastructure 
> > without dependencies on things like SASL & GSSAPI, #3 seems best here.

> I know export the password with pam_putenv. As far as I can see in the
> code, the PAM environment variablen are only visible to the program? 
> Or are could there be any security risks I don't see in the moment?

The PAM environment is not visible outside of the application.  As long 
as you don't have an application that takes the entire contents of the 
PAM environment and dumps them out to the actual process environment 
after successful authentication, you should be ok. ;)

Steve Langasek
postmodern programmer

Attachment: pgp00031.pgp
Description: PGP signature


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux