[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-interactive authentications...

On Mon, Aug 17, 1998 at 03:21:28PM -0400, The Hermit Hacker wrote:
> I was reading through the archives, and someone mentioned an upcoming
> libpam_client.a that will have functionality for such, but I was thinking
> about it, and could you not "cheat"?
> I'm trying to build a PAM wrapper for pwcheck, used in Cyrus IMAPd, for
> authentication.  Basically, the IMAPd/POP daemon(s) connect, via a socket,
> to the pwcheck daemon to authenticate.  They pass over a userid/passwd,and
> get back a yes/no answer.
> Now, you pass the userid to pam_start(), and then the pam_conv does the
> actual conversation for the passwd...right?  If this is the case, why not
> cheat and just make the passwd a global variable that pam_conv uses,
> instead of going through the conversation phase?

PAM is designed for the interactive authentication.
PAM modules give a prompt and ask what they want.
It supposes that a human will answer because it's hard to write a software
giving reasonable answers on arbitrary and unpredictable questions.

There are some approaches to use PAM for fixed protocols like FTP
or POP but the approaches abuse the interactive and "module-centric" nature
of PAM.

> Does this make any sense?  Has anyone done something like this?  Or is
> this just not possible?

I think about different authentication API: Pluggable Non-Interactive
Modules. My main idea is that the application should provide modules
a number of input items and a number of possible responses.
The stack of modules should consider the input and give a verdict:
authentication failed or other valid (from the application's point of view)
answer. At the moment it isn't clear for me how to make the stack of modules
giving a consistent answer.

Naturally, the API is suitable for authorization and accounting purposes.
Modules can provide all necessary information associated with user's account
(home directory, shell etc) so that applications will use only one source
for the information. With PAM applications are forced to do authentication
and authorization via PAM but look for user ID and home directory using
different code like libc or pwdb.

Best regards
					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []