RE: Feature suggestion - strip prefix and/or suffix on supplied username

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Ah - I suspected that there would be issues like that either internal or external to PAM.

Thanks for taking the time to respond.



-----Original Message-----
From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz
Sent: 30 January 2015 14:48
To: Pluggable Authentication Modules
Subject: Re: Feature suggestion - strip prefix and/or suffix on supplied username

On Pá, 2015-01-30 at 13:59 +0000, Giddings, Bret wrote:
> Hi all,
> I can't find anything online that matches this so it doesn't look like
> pam already has this feature.
> At my site, many users will either use NETBIOSDOMAIN\username or
> username@dns-domain when trying to authenticate. Depending on luck,
> either might work on things windows related. However, when we slip
> into the linux realm, both will fail. So, I was wondering if there
> were a module which would sanitise the supplied username and strip
> (specified) prefixes or suffixes if present. That would then result in
> far fewer support calls to the helpdesk when they were in fact
> presenting perfectly valid credentials, albeit with known but
> redundant prefixes or suffixes.
> Is this possible at all?

The problem is that some services that call PAM, namely sshd, do not
support changing the user name inside the PAM modules. The modules can
internally change the user name but it will not affect getpwnam() calls
outside the PAM. So the module as you describe it would not be too
useful with such services.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

Pam-list mailing list

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux