[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using pam to check a known password.

On Fri, 14 Apr 2000, Luke Kenneth Casson Leighton wrote:

> > Is there a way to ask PAM: "here's a username and password, do they
> > belong together?"

> sounds like a security risk, to me.

Security-wise, this is no different from what PAM does currently.  Most PAM
modules ask for a username, and then ask for a password, and then look to
see if the password is the right password for the user, which is equivalent to
asking if a username and password belong together.

The only difference is, who decides what information is needed?  The PAM
architecture says that the PAM modules should have control, but some protocols
are so rigid that it has to be limited to just a username and a password...

I can think of one way to do this without having to write bad conversation
functions.  However, I'll leave it for others to decide whether this is more
or less bad than the alternative. :)

#include <security/pam_appl.h>
#include <security/pam_modules.h>


int retval;
char *user, *password, *service;
const struct pam_conv conv_struct = { ... };
pam_handle_t *pamh = NULL;


pam_start(service, user, &conv_struct, &pamh);

pam_set_item(pamh, PAM_AUTHTOK, password);

retval = pam_authenticate(pamh, PAM_SILENT);


Of course, this method has its problems.  First, I'm not sure how seriously
libpam takes the edict that PAM_AUTHTOK is 'for modules only!'; it's possible
that it will ignore the application, or reset the pam_item when
pam_authenticate is called.  Second, while this will eliminate the vast
majority of reasons why modules would need to call the conversation function,
the whole reason there's a problem is because modules sometimes need
information *other than* a username or password.  The above method does
nothing to help those modules.

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []