Re: Can I set the user to authenticate as?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-01-08 at 12:00 -0500, pam-list-request@xxxxxxxxxx wrote:
> On Fri, 4 Jan 2013 16:13:27 -0800
> Dylan Martin <dmartin@xxxxxxxxxxxxxxxxxx> wrote:
> 
> > With pam's flow-through-the-stack nature, I thought there might be a
> > module that would change the user name for authentication purposes.
> 
> Theoretically this is possible. However some services do break under
> these conditions if the username changes. For example OpenSSH has a
> problem with this. The main exception is, if characters are turned
> upper- or lowercase.
> 
> Some time ago I did write a PAM module that indeed alters the
> username.
> You can find the source code here:
> https://github.com/datenwolf/pam_propperpwnam
> 
> >From the README:
> 
> |pam_propperpwnam
> |
> |A PAM module that uses the entered login name as key to
> |query the password database configured through nsswitch.conf
> |and replaces the login name with what has been returned.
> |
> |On the typical system this module performs an identity transform.
> |The main usage scenario are systems in networks where a user name
> |is used in several distinct authentication systems, some of them
> |being case sensitive and others not. For example the mail system
> |may do case insensitive username lookups, while the workstations
> |are case sensitive. In such environments users are often puzzeled
> |about a username working in one situation does not work in another.
> 
> There's a pam_python module, that allows you to write PAM modules with
> Python. This is great for experimentation, I suggest you experiment
> with this.
> 
> But keep in mind that some things will break if you alter the login
> name; technically those things are broken and should be fixed. Good
> luck with filing bugs.
> 

You may also have to create an NSS module that performs the same
translation / canonicalisation so that user information functions
(getpwnam et al.) work as expected.

Cheers,
 - Martin


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux