[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM S/Key module

Hi all,

I've ported the skey stuff from Wietse Venema's logdaemon package,
and written two PAM modules that go with it. The source code is
linux-skey-0.1.tar.gz, available from


The reason that there are two PAM module is a bit bizarre, but the only
other way of doing what I wanted to do was explicitly mapping return
values to PAM dispatched actions, which I found even uglier.

The issue is that I want to support the skeyaccess file which details
whether a user is required to use skey, or whether he has the option
of using either plain text passwords as well. So we first check
SKEY, and if that's okay we want to stack to return immediately
with PAM_SUCCESS. However, if SKEY fails, the action depends on
whether plaintext passwords are permitted: if they are, the SKEY
module return value should be ignored, otherwise the entire stack
should fail.

I solved this by introducing a second module, pam_skey_access, which
follows the pam_skey module:

auth	sufficient	pam_skey.so
				(say SUCCESS or AUTH_ERR)
auth	required	pam_skey_access.so
				(say SUCCESS if plaintext allowed,
				AUTH_ERR otherwise)


Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.            
	  The skey oracle says: NIBS RUB TECH LIST LEFT OLAF

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []