Ah - I suspected that there would be issues like that either internal or external to PAM. Thanks for taking the time to respond. Regards, Bret -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz Sent: 30 January 2015 14:48 To: Pluggable Authentication Modules Subject: Re: Feature suggestion - strip prefix and/or suffix on supplied username On Pá, 2015-01-30 at 13:59 +0000, Giddings, Bret wrote: > Hi all, > > I can't find anything online that matches this so it doesn't look like > pam already has this feature. > > At my site, many users will either use NETBIOSDOMAIN\username or > username@dns-domain when trying to authenticate. Depending on luck, > either might work on things windows related. However, when we slip > into the linux realm, both will fail. So, I was wondering if there > were a module which would sanitise the supplied username and strip > (specified) prefixes or suffixes if present. That would then result in > far fewer support calls to the helpdesk when they were in fact > presenting perfectly valid credentials, albeit with known but > redundant prefixes or suffixes. > > Is this possible at all? The problem is that some services that call PAM, namely sshd, do not support changing the user name inside the PAM modules. The modules can internally change the user name but it will not affect getpwnam() calls outside the PAM. So the module as you describe it would not be too useful with such services. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list