Passing information from app to module by pam_*env

Tobias Heide tucks at gmx.de
Wed Sep 5 11:34:41 UTC 2007


Steve Langasek schrieb:
 > If you have to code both your app and your module to exchange extra
 > information, then it's no longer very "pluggable", is it?

Note: only the application passes data to the module, not the other way 
round. The module should have the ability to make more granular 
authorisation decisions. ("Shall user X be granted to access Port 80 of 
Host Y?"). I just want to pass the information, that the requested 
"resource" is Port 80 of Host Y.

 > When a module needs additional information in order to do its job, it's
 > expected that the module will use the conversation function provided 
by the
 > app in order to request this information from the user in some fashion.

The problem with that is, that most existing applications simply send 
the password, when PAM_PROMPT_ECHO_OFF is sent to them. So I would have 
to add new messages to the PAM library. I don't think, that's cool.

Thanks so long,
tobi




More information about the Pam-list mailing list