[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using pam to check a known password.

On Fri, 21 Apr 2000, Solar Designer wrote:

> > I can think of one way to do this without having to write bad conversation
> > functions.  However, I'll leave it for others to decide whether this is more
> > or less bad than the alternative. :)

> Which alternative?  There're at least two: bad assumptions in the
> conversation function and pam_userpass.

Well, the bad assumptions in the conversation function.  At the time, I hadn't
looked at pam_userpass.

pam_userpass looks like it could be very handy, but again, it doesn't solve
the problem of modules that want additional information from an application
that can't get the information from the user.

> > pam_start(service, user, &conv_struct, &pamh);

> > pam_set_item(pamh, PAM_AUTHTOK, password);

> > retval = pam_authenticate(pamh, PAM_SILENT);

> Been there, tried that.  Won't work.

> > Of course, this method has its problems.  First, I'm not sure how seriously
> > libpam takes the edict that PAM_AUTHTOK is 'for modules only!'; it's possible
> > that it will ignore the application, or reset the pam_item when
> > pam_authenticate is called.

> Linux-PAM will reset PAM_AUTHTOK.  You can avoid that by playing with
> pamh->former.choice, but that's undocumented and non-portable.

Ah.  Oh well, it was just a thought, one I probably wouldn't have had if I had
ever looked at that part of the code. :)

> There's no problem with providing some information via tokens you set
> manually and the rest via a conversation function, if that was possible.

Indeed not. But how do we make it possible for all applications?

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []