Passing information from app to module by pam_*env

Steve Langasek vorlon at debian.org
Wed Sep 5 10:25:26 UTC 2007


On Tue, Sep 04, 2007 at 12:41:16PM +0200, Tobias Heide wrote:
> I hope, my posting won't arrive twice, because I first used a wrong
> Sender-Address...

> I am about to implement a XACML-PAM-Module for a student research
> project. As a test-application I have to use a SOCKS5-Server, which
> already has some basic PAM-Support (Dante).

> But: I want to pass information from the Server to the PAM-Module, e.g.
> the destination address of the request. The PAM-Module should then pass
> this information to the XACML-"Server". The general goal is, to have
> more information to make the authorisation-decision.

> I plan to pass this information by pam_*env-functions. Is this a safe
> way? Are there any objections? I could not find any module that makes
> use of these functions, so I thought it might not be recommended?

If you have to code both your app and your module to exchange extra
information, then it's no longer very "pluggable", is it?

When a module needs additional information in order to do its job, it's
expected that the module will use the conversation function provided by the
app in order to request this information from the user in some fashion.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/




More information about the Pam-list mailing list