[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Stephen Langasek wrote:

> Upon reflection, I guess the idea the original poster was getting at was
> that the PAM_USER item should be 'read-only' for the modules.  The same
> thing applies, IMHO.  If there's a compelling reason to change the PAM_USER,
> the module writer should have that option, in which case the module
> documentation ought to make this clear.  If the concern is people writing
> mischievous modules, then restricting access to PAM_USER isn't going to
> prevent that.

I thought the original idea he was getting at was that if you used three
different authentication modules, each could ask the user "who are you?"  and
the the USER could put in different answers each time.  This might be valid,
(e.g. "scott" for /etc/shadow, "snelson" for SMB, "Scott Nelson" for xyz), or
the user could put in conflicting information ("scott", "scott", "fred").

I think the solution is to have only the first module ask "who are you?".  You
then ask "prove it" the first time to ascertain the requested identity and then
you can ask "prove it" two more times for the remaining modules.  Didn't I see
that in the documentation?  use_first??

Sorry if I am speaking out of turn here, I am just getting to know PAM.

Scott Nelson
sbnelson@thermeon.com




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []