[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: snoop capabilities?

Theodore Y. Ts'o wrote:
> 	I think Jeremy is looking for something where you can snoop on
> the entire login session, not just the PAM applications --- and the
> answer to his question is No, PAM doesn't provide that level of an
> interface.

I agree with Ted in that this sort of thing is not addressed by the PAM
spec., however, everything I said before _is_ true and I am sure it is what
Jeremy is after... ;^)

Here is a simple example: try running pam_filter with upperLOWER on 'su'.

Insert this as the _last_ authentication line in your pam.conf file on a
stock Red Hat system (after the pam_unix_auth or pam_pwdb etc.. "auth"

su      auth       required     /lib/security/pam_filter.so \
                                        run1 /usr/sbin/pam_filter/upperLOWER

The resulting behavior will give you a flavor of being back in the days when
UPPER CASE was the norm and terminals weren't very sophisticated... (NOTE:
When you experience trouble entering shell commands try pressing caps-lock
and typing them in upper case...)

To be strict about it (and to agree with Ted's sentiment), PAM does not
address this sort of thing.  This is basically code that pushes the PAM

All of the terminal stuff in pam_filter is probably not very portable, and I
fully realize this was not what PAM was ever intended to do, this is mostly
why I never wrote any more filters... However, as you will see by this
example, it actually works and besides, it just seemed like a neat trick at
the time!!

Have fun...


PS. pam_filter, to my knowlege only works on i386 Linux, I did try to be
POSIX about terminal handling, but I have no data points for other
architectures or platforms...
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
       [ For those that prefer FTP  ---  ftp://ftp.lalug.org/morgan ]

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []