Re: Some questions on userdbd and providing a compatible service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 24.11.22 12:46, Dominik George (nik@xxxxxxxxxxxxx) wrote:

> Ah, so what would happen here is that even if the MUltiplexer, which
> is privileged, talks to my IPC service and receives the "privileged"
> part, the Multiplexer will strip it off for me unless a privileged
> user is talking to it.

correct.

> > Yeah, you have to deal with PAM yourself (unless you add classic
> > hashed UNIX passwords in the "privileged" section of your use records
> > – in that case pam_unix will just use that).
>
> That won't work. Actually, the final goal is to authenticate without
> ever handling the user password, e.g. using the OIDC Authorization
> Code Grant Flow or Device Code Grant Flow.

Yeah, I figured.

(BTW; I kinda hope that one day systemd-homed could directly
authenticate home directories via OIDC too. In fact, I want it so that
you can just type in any OpenID identity on a login prompt, and this
would authenticate a user and create a local homedir on the fly if
needed.)

> But generally, are the fields in the User Record objects fixed, or can
> I add my own fields? If I do, will they be ignored and passed on
> verbatim, or stripped, or cause an error preventing the User Record
> from being handled at all?

It's supposed to be extensible.

→ https://systemd.io/USER_RECORD/#extending-these-records

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux