Re: using pam_sm_auth

Tomas Mraz <tmraz@xxxxxxxxxx> · Thu, 06 Oct 2011 19:01:18 +0200



On Thu, 2011-10-06 at 12:12 -0400, leonel06013@xxxxxxxxxxxxxxxx wrote: 
> this is the function I have redefine for get the user and password from the user in
> the Gnome Windows login
> 
> #define PAM_SM_AUTH
> 
> #include <security/pam_modules.h>
> #include <security/pam_appl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/types.h>
> #include <pwd.h>
> #include <syslog.h>
> 
> 
> PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const
> char  ** argv)
> {
>     const char * userName = NULL;	//var to get the user name
>     char * userPasswd;       	               //var to get the user password
>     //others var
>     int pam_err, retry;
> 
>    //geting the users name, this work fine
>     if (pam_get_user(pamh, &userName, NULL) != PAM_SUCCESS)
>     {
> 	syslog(LOG_ERR, "cannot determine user name");
> 	return PAM_USER_UNKNOWN;
>     }
> 
>     if ( pam_get_item(pamh, PAM_AUTHTOK, (const void **)&userPasswd) != PAM_SUCCESS)
>     {
> 	syslog(LOG_ERR, "Error al extra el pass del usuario");
> 	return PAM_SYSTEM_ERR;
>     }
> 
>     return PAM_SUCCESS;
> }
> 
> this is the main instruction of my function, the part where I get the user name and
> de password, getting the user name work fine, but I can't obtain his password.
> This is a service module for PAM, not for and app.
> 
> I need obtain all this data when the user get login on Gnome, having this data I
> authenticate those values against my database and them I set knew credentials with
> pam_set_item, but this last part doesn't matter because the first part doesn't work
> yet.
> 
> If I call pam_get_authtok() function all work ok, I get the password fine, but I
> have to put the password twice, one for the function pam_get_authtok() and other for
> the system I guess, the same thing happened when I use the conversation function.
> 
> Then my problem now are two, one how can I get the user password without use
> pam_get_authtok or the conversation function? , and if I have to use one of those,
> how can avoid the second authentication in the Gnome window login.

The pam_get_authtok() supports the try_first_pass and use_first_pass
options for the module. So you just put one of these options to the
service configuration file in /etc/pam.d/ and it should work fine.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list