>> This seems to be a matter for the application rather than PAM - >> certainly that's how I've always implemented such requirements. Jason is dead on - it will have to be an application thing. The API doesn't (and shouldn't) provide something like that, as the intent of PAM is authentication abstraction, meaning local authentication or whatever. Because of that, it is not always possible to load up remote/local socket information, because it just doesn't exist, and the application that created the connection isn't passing that socket connection info into PAM. > Thanks Jason (wow, there's a lot of Jasons).. This was unfortunately > the answer I was expecting. The reason behind the PAM module is so > that we wouldn't have to modify the code for our various services each > time we wanted to upgrade them. However, I suppose adding a couple of > lines to the code is still a lot better than having to add ~200 lines. If the application had a mechanism to send the socket into PAM, it would be possible to do lookups. One thing you can do is make the users log in with the entire user.at.hostname, and then have the module just use that. It allows you to do a module, without rewriting the service. If it is a customized app, then you will need to make sure that hostname connections come in on the right IP addresses, but odds are, the underlying networking mechanisms will force that to occur anyway. Just use the jason@xxxxxxxxxxxxxxxxxxxxxxx method of usernames, and you may not have to alter your application. Joe (not Jason) Lewis _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
