[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Asynchronous PAM - long post

On Fri, 25 Jun 1999, Scott Rachels wrote:

> Does or WILL pam support an asyncronous authentication process? Any
> suggestions or workarounds for now? It would help me use PAM on a single
> process/single threaded server that handles multiple clients (using
> select).

> Right now it seems on pam_authenticate(), the server must always block in
> the conversation function waiting for user input because the modules
> expect responses from the conversation. 

Andrew Morgan added support to Linux-PAM not long ago for such an
'event-driven' conversation model.  If the response is not available at the
time the conversation function is called, the conversation function is to
return PAM_CONV_AGAIN, and the module *should* return PAM_INCOMPLETE.

The trouble is, I'm not sure how many modules that make use of conversation
functions (even within the Linux-PAM distribution) currently support
PAM_INCOMPLETE.  Having the conversation function return PAM_CONV_AGAIN is
the responsibility of the application writer, and isn't a problem at all,
but the modules... <shrug>

Does anyone here on the list have first-hand experience trying to make an
event-driven conversation function work with existing PAM modules?  How
easy/hard is it?

-Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []