I'm afraid you have to worry about security and be root at some point, in order for the application to successfully "login".
Joe
Alois Treindl wrote:
I am moving a database application from HPUX to Redhat RHEL 3.0.
A user on a terminal session can login to the database by identifying herself with one of the legal user names of our system. The password is requested, and we used to compare it to the password stored in the HPUX /etc/passwd file.
Now, on RHEL the passwords are in the /etc/shadow file and we do not want to give the application root-setuid to be able to read it.
I decided to switch to PAM, but have no experience with it.
I tooke example code from "The Linux-PAM Application Developers' Guide" to get simple password based authentification.
My service is called 'kdv' and I created an entry /etc/pam.d/kdv auth required pam_unix.so
my little test application pamtest.c reads like this:
#include <security/pam_appl.h> #include <security/pam_misc.h> #include <stdio.h> static struct pam_conv conv = { misc_conv, NULL }; int main(int argc, char *argv[]) { pam_handle_t *pamh=NULL; int retval; const char *user="nobody"; char s[80]; if(argc == 2) { user = argv[1]; } sprintf(s, "LOGNAME=%s", user); getenv(s); retval = pam_start("kdv", user, &conv, &pamh); if (retval == PAM_SUCCESS) retval = pam_authenticate(pamh, 0); /* is user really user? */ if (retval == PAM_SUCCESS) { fprintf(stdout, "Authenticated\n"); } else { fprintf(stdout, "retval=%d, Not Authenticated\n", retval); } if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ pamh = NULL; fprintf(stderr, "check_user: failed to release authenticator\n"); exit(1); } return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ }
When I call pamtest username
I find that I get authenticated if username is equal to the current shell's logname.
but I get not authenticated if I try pamtest other_username
(where other_username is a valid user and I know his password)
In the latter case, the syslog contains an entry
kdv(pam_unix)[29287]: authentication failure; logname=(mylogname) uid=xxx euid=xxx tty= ruser= rhost= user=other_username
What do I need to do so that pamtest allows me to authenticate for any user?
(The same way, like 'su' allows me to become any other user, from my given shell session, if I know that user's password)
I am aware that I have very little understanding of PAM, and I would be happy to remain as ignorant as I am, if I just get that little task working.
Alois
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list