[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Asynchronous PAM - long post



Does or WILL pam support an asyncronous authentication process? Any suggestions or workarounds for now? It would help me use PAM on a single process/single threaded server that handles multiple clients (using select).
 
Right now it seems on pam_authenticate(), the server must always block in the conversation function waiting for user input because the modules expect responses from the conversation.
 
One idea would be to have the conversation function write the prompt to a socket and return PAM_CONV_CONTINUE. This allows the conversation and the module to save the state and allows the pam engine to remember where it was in the module chain.
 
When a response comes back on the socket for the prompt, the server application calls pam_conv_continue(pamh, my_conv), which forwards the call to the module that received the PAM_CONV_CONTINUE. That module then calls the conversation function again with the received response data (from the socket). The conversation functions put the responses into the response array and returns PAM_SUCCESS.
 
Here is a sample call path:
 
Client:
------
    <<request auth from server>>
 
Server:
------
pam_authenticate(pamh,user,flags,auth_cb);
   pam_sm_authenticate(...);
      conv->conv(num,msgs,resps,data);
          <<create packet from msgs>>
          <<send packet to client>>
          return PAM_CONV_CONTINUTE;
      pamh->continue_with_which_module = this_module;
 
 
Client:
------
   << receive request from server for pam responses >>
   << get responses from user, from libpamc interface, whatever...>>
   << send packet with responses to server >>
 
Server:
------
select(...)
<<received response from client>>
pam_conv_continue(pamh, response);
   << use module pointed to by pamh->continue_with_which_module >>
   pam_sm_conv_continue(response);
      << put response into msgs with PAM_CONV_CONTINUE msg type >>
      conv->conv(num,msgs,resps,data)
         case PAM_CONV_CONTINUE:
            << put msgs into resps >>
            return PAM_SUCCESS
      <<authenticate with resps>>
      return PAM_SUCCESS;
   auth_cb(); // cb passed in initial pam_authenticate()
 
Thanks for looking at this. Any guidance would be very much appreciated.
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []