OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Passing password through a PAM-API
From: Michael Gerdts (Michael.Gerdtsusa.alcatel.com)
Date: Thu Dec 14 2000 - 10:04:24 CST

On Thu, Dec 14, 2000 at 08:33:11AM -0600, Benjamin S Vera-tudela wrote:
> $ myapp login [user] passwd [password]
>

Are you sure that you really want to do that? Anyone else on the box can
then use ps(1) to get passwords of others.

> Second, I noticed in the PAM website that an example application requires
> application writers that wish to use PAM to add a couple of lines in the
> /etc/pam.conf file that look like this:
>
> [service name] auth required [pam auth library name]
> [service name] account required [pam acct library name]
>
> Is it possible to avoid having to do this? I believe that one option is to
> provide your own authentication module (library) -- in the same way login,
> su, and other Linux apps do --, and link your application to that module.
> Are there any other options? Having to provide another library in my
> application is the last option, so modifying the pam.conf file is probably
> ok, but if there is an option that does not require providing a new library
> and changing the pam.conf file, I would be glad to know about it.

Most pam implementations pay use other (OTHER for HP-UX) as a catchall for
apps that do not use any special library. If all of your apps only needed
pam_unix, the following would be all that you really need

   other auth required /lib/security/pam_unix.so.1
   other account required /lib/security/pam_unix.so.1
   other session required /lib/security/pam_unix.so.1
   other password required /lib/security/pam_unix.so.1

Mike

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list