[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Autentication in CGIs via PAM


On Mon, Dec 20, 1999 at 01:31:17AM +0100, Enrico Zini wrote:
> I have two problems right now:
>  1) The conversational function would need to write an HTML form and exit, to
>     find its data in the next invocation of the program, and it seems
>     impossible to me to code that;
>  2) In the conv. function, I know how to prompt the user for input, but I don't
>     know what input I'm prompting for; this makes things difficult for two
>     things: 
>      a) it's difficult to provide user friendly or internationalized forms, or
>         forms with a little help on what are they asking about;
>      b) if I work around problem 1) asking for data on a special form before
> 	calling the conversational function, I don't know how to associate user
> 	fields with the appropriate PAM questions, besides using the PAM prompt
> 	as a key; this approach could solve many things, but what warranties do
> 	I have that the prompts will never change?

You asked good questions.  But such problems are not new.
PAM interface was designed for specific kinds of applications (like login or
telnetd) and may not be convenient for all needs.

In many PAMified applications people ask the user about his username and
password.  Then in the conversation function they assume that ECHOOFF questions
are about the password and ECHOON questions are about the username.
You may say that it's a dirty trick and I will agree.
Relying on the prompts will not be a reliable solution too.

If you want to implement a correct solution you may create a special daemon
keeping PAM handles and doing the authentication.  Your CGI scripts will
communicate with the daemon reading the prompts (and converting them into
HTML) and passing the user data back.  This construction will be correct from
PAM point of view.

Surely you will not be able to solve 2b problem by this way.  This problem is
hardly solvable with the PAM API.

You may also wish to look at PNIAM project
I started it to specifically address the needs of applications to
_understand_ what modules ask and repeat the question in a suitable form to
the user or answer themselves.

Be aware that PNIAM project is deployed in orders of magnitude more rare than
PAM and is still far away from being a standard of any kind.
But if you wish to participate in the project or use it for your needs
you're welcome!

Best wishes
					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []