> Subject: Re: verifying a username AND password...? > Date: 01 Mar 2002 20:58:35 +0800 > From: John Breen <locutus@borg.apana.org.au> > Reply-To: pam-list@redhat.com > To: pam-list@redhat.com > References: <1014980314.388.26.camel@developer> <3C7F6F13.B8D4938B@gnet.tn> > > On Fri, 2002-03-01 at 20:07, Fathi Ben Nasr wrote: > > the USER is NOT connecting to the host. > > situation is, A user is connecting to the host for purposes of > maintaining a database connection. the user won't be that user. > > the actual user needs to authenticate to the client-side application. > the authentication tokens will come from the local machine, BUT the > user's login name for the application may be different to the login name > for the database. > > I hope that makes some kind of sense - it's sort of confusing to me now > i come to think about it... This does make sense to me, I had exactly this same problem with PAM and Jabber. The issue was that the jabber client (running on a PC over the network) was passing a user name and password pair to Jabber which I wanted to get authenticated by PAM. I wrote my own "conversation" function (the one that does the password prompting) and used the "appdata_ptr" feature to pass the password through to it (for it to return back again!). I never found out if there was a better way. Here's some code, if it helps :- ---------------------------------------------------------------------------------- int my_conversation( int num_msg, const struct pam_message **msgm, struct pam_response **response, void *appdata_ptr) { int count=0; struct pam_response *reply; log_debug(ZONE,"JAMES conversation, %d items",num_msg); reply = (struct pam_response *) calloc(num_msg, sizeof(struct pam_response)); for (count=0; count < num_msg; ++count) { switch (msgm[count]->msg_style) { case PAM_PROMPT_ECHO_OFF: case PAM_PROMPT_ECHO_ON: log_debug(ZONE,"JAMES conversation '%s'",appdata_ptr); reply[count].resp_retcode = 0; reply[count].resp = strdup(appdata_ptr); break; } } *response = reply; return PAM_SUCCESS; } int pam_authentication_ok(char * user, char * pass) { struct pam_conv conv; pam_handle_t *pamh=NULL; int ret,so_far=0; log_debug(ZONE,"JAMES pam_authentication_ok '%s','%s'",pass,user); conv.appdata_ptr = (void *) pass; conv.conv = my_conversation; ret = pam_start("jabberd", user, &conv, &pamh); if (ret == PAM_SUCCESS) { so_far=1; ret = pam_fail_delay(pamh, 1); } if (ret == PAM_SUCCESS) { so_far=2; ret = pam_authenticate(pamh, 0); } if (ret == PAM_SUCCESS) { so_far=3; ret = pam_acct_mgmt(pamh, 0); } if (ret == PAM_SUCCESS) { so_far=4; ret = pam_end(pamh,ret); } log_debug(ZONE,"JAMES pam_authentication_ok(so_far=%d, ret=%d) return %d", so_far,ret,((ret==PAM_SUCCESS) ? 1:0)); return ((ret==PAM_SUCCESS) ? 1:0); } int pam_new_user_ok(char * user,char * pass) { log_debug(ZONE,"JAMES pam_new_user_ok '%s','%s'",pass,user); return pam_authentication_ok(user,pass); } ---------------------------------------------------------------------------------- James
