Derrick J Brashear wrote: > This beyond the scope of PAM, and it should be. PAM is after all "Pluggable > Authentication Modules", and while that's information which is dependant on who > authenticates, it's not authentication information. It is beyond the scope of PAM, yes - but this should mean that PAM should pass this data, and not interpret it in any way. The reason why I'd like PAM to handle this is because actual authentication is only part of a login process. In actual applications, the authentication part is handled by PAM, however credentials are set using machine specific funstions. As a result, the advantages of using PAM are lost. As a concrete example, I wanted to install PAM support into the Apache webserver, so that I could do basic authentication using PAM. The trouble was, to check whether a user was in the required group, it used Linux specific calls to determine group membership. This has prevented me both from running this module under Solaris, and also authenticating people using LDAP (the pam_ldap module). > Given that you already need to code your patches to understand this infromation > (since it's not just generic PAM information) I have 2 suggestions: > a) use pam_putenv foo to set environment variables, and pam_getenv to read them > back out in the app, if you *must* do it through pam . I think the best suggestion should be the creation of a parallel prototol, perhaps called Pluggable Credentials Modules, that would do the same as PAM, but for credentials. An application can then use PAM, PCM, or both at it's discretion. Any thoughts? Regards, Graham -- ----------------------------------------- firstname.lastname@example.org "There's a moon VWV Interactive over Bourbon Street tonight...
Description: S/MIME Cryptographic Signature