[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-interactive authentications...

> PAM is designed for the interactive authentication.
> PAM modules give a prompt and ask what they want.
> It supposes that a human will answer because it's hard to write a software
> giving reasonable answers on arbitrary and unpredictable questions.

> There are some approaches to use PAM for fixed protocols like FTP
> or POP but the approaches abuse the interactive and "module-centric" nature
> of PAM.

That is not entirely true. The very purpose of providing the 
ability to use application specified conversion functions is
to let the application decide how to get its inputs ( either 
inteactively or non-interactively). So as an application I can
write a conversation function that may even read from a file
and then return the pam_resp->resp structures corresponding
to the message styles PAM_PROMPT_ECHO_ON (username)
and PAM_PROMPT_ECHO_OFF (password). You can also 
set the name of the user when you call pam_start. Thus if the 
application would call pam_start with the appropriate 
conversation function parameter, and then directly call pam_authenticate(), then pam will take care of getting the username and password *using*  the way the application wants 
it (either from a user, or opening a connection and reading from 
the client, or even directly from a file).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []