Andrew Morgan wrote: > This is "credential" information. If I understand it correctly, you > are trying to do the following: > > 1 client dials in > 2 login authenticates user (via PAM) > 3 login runs pppd > > You would like 2 to obtain IP address etc., info and to thus modify > the way in which pppd is invoked. Is this correct? Yes, but in a way that does not require any exterior scripts or outside helper programs, it all happens seamlessly inside PAM. For example, it would go like this: 1 client dials in 2 pppd runs (from mgetty, without a login) 3 pppd authenticates user via PAM (already supported) Here comes the bit: 4 the PAM module underneath PAM optionally knows about ppp's special options. (Such a PAM module might be the pam_radius module). This module needs to tell pppd certain things, like possibly it's IP address, etc. 5 The PAM module (such as pam_radius) passes these optional parameters through the generic PAM interface, through to the actual application (such as pppd). These paramters are not parsed by PAM, they are simply passed through. 6 The application (such as pppd) acts on these additional config parameters. > As a simple experiment, you could use environment variables (generated > with pam_setenv()) to propagate the relevant info, and replace 3 with > a shell wrapper which prepares an 'exec pppd XXXX ...' line, where > 'XXXX ...' are all of the arguments that can be obtained from the > inherited environment varialbes. Hmmm - ok, let's look at this. What we could define is this: When a PAM module is called apon to authenticate someone, it can optionally set a number of well known environment variables (eg PAM_IPADDRESS, PAM_GROUP, PAM_FIREWALL) with additional information. The actual PAM library will completely ignore these environment variables. The application that uses PAM then looks to see if these environment variables exist, and act on them if they do. In this way one could have the situation where someone was authenticated via PAM using login, and then later when they run pppd the environment is set up for them. The only problem is that if the user had shell access between the time the PAM authentication occured, and the time the app was run, they could change these parameters, which may be a problem if this info is to be enforced (such as pppd setting firewall rules, for example). Any thoughts? Regards, Graham -- ----------------------------------------- email@example.com "There's a moon VWV Interactive over Bourbon Street tonight...
Description: S/MIME Cryptographic Signature