And for apps like XDM or loginwinsow where the app prompts for a
username AND a password before callin pam_authenticate, it would be
useful to be able to pam_set_item(PAM_AUTHTOK).

I have such an app. I cannot change it, but it can load library for
handling authentication, so we've made such a library, based on PAM,
that provides the necessary methods to the app. The library does provide
a conversation function and it can prompt the user, but, currently the
user prompted for her password AGAIN after typing it in once in the
original xdm-like login panel.

Nico

On Thu, Feb 15, 2001 at 10:10:49AM -0000, Mayers, Philip J wrote:
> Because it's a simple, cross-platform interface, and I can change the
> backend plugin between pam_db, pam_krb5, pam_mysql, or whatever. I don't see
> the need to reinvent the wheel - all it's missing is one spoke :o)
>
> I can come up with a module-driven scheme (multiple page reloads) but it's
> ick. I also don't buy the argument that PAM should only be used for
> interactive authentication.
>
> But hey, you're the boss. Topic closed.
>
> Regards,
> Phil
>
> +----------------------------------+
> | Phil Mayers, Network Support |
> | Centre for Computing Services |
> | Imperial College |
> +----------------------------------+
>
> -----Original Message-----
> From: Andrew Morgan [mailto:morgantransmeta.com]
> Sent: 13 February 2001 23:09
> To: pam-listredhat.com
> Subject: Re: [ Bug #129027 ] 0.73: PAM_AUTHTOK behavior
>
>
> "Mayers, Philip J" wrote:
> > So, back to my original query:
> >
> > What's wrong with code like this:
> >
> > pam_set_item(pamh,PAM_AUTHTOK, 'passw0rD');
> > pam_authenticate();
> >
> > It doesn't work in Pam 0.74 because of sanitisation. I'm only interested
> in
> > *one* application for this, and that's non-interactive programs which have
> a
> > username and password combination (think webservers and mail relays).
>
> Think, why are you using PAM for this?
>
> > Clearly you'll sanitise the AUTHTOK on the way out. But on the way *in*?!
> I
> > know exactly what the reply is - "Binary prompts". But I don't want to use
> > that. I want something simple that works, which this does. try_first_pass
> > will still work. use_first_pass is an administrator choice.
>
> If you know that the only authentication method you are ever going to
> use is password based, why are you going to the trouble of using PAM?
>
> If you want to have a hard coded password authentication and use PAM for
> something else, then why not do this:
>
> if ((my_predefined_authentication() == MY_SUCCESS)
> && (pam_authenticate() == PAM_SUCCESS) {
> you_are_in();
> } else {
> sorry_permission_denied();
> }
>
> One of the main things with PAM is that the modules drive the process of
> authentication. If the admin wants to plug in pam_permit.so then the
> user never needs to see a password prompt. What you are trying to do is
> tell PAM: here is the password I've decided you need - what control does
> an admin have over that?
>
> > <sigh>:o)
> >
> > This is never going to happen, is it?
>
> If you can come up with some scheme for getting a module to drive the
> request for a password, then it might.
>
> Cheers
>
> Andrew
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list

--
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]