[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM_USER or PAM_RUSER??



On Wed, 9 Aug 2000, Max Liccardo wrote:

> This is the problem with an external users db. Suppose I have an external
> user repository that I can access with username/password only, and  I have
> an account to read/write into the db.

> By my pam module I have to authenticate a user using the external repository
> (i.e. radius, tacacs+, an so on...)...so I have a username/password to
> connect to my db and a username/password to authenticate. I suppose PAM_USER
> is for connecting to the db and PAM_RUSER is the identity of the user I want
> to authenticate.

> This is the case of radius/NAS: a NAS user could be autheticate by a radius
> using an external db: well, I use PAM_RUSER as the identity of the user into
> the NAS and PAM_USER to autheticate the PAM_RUSER into my external (oracle,
> ldap) repository.

This is not the meaning assigned to the tokens.

PAM_RUSER is always the name of the remote user who made the request, never
the name of the user being authenticated.  Sometimes, PAM_RUSER == PAM_USER,
but you should never count on this.  PAM_RUSER may be useful for informational
purposes (logging connections) or where it has bearing on authenticating the
user named by PAM_USER (rhosts-style authentication, or RSA rhosts auth for
ssh).  Beyond that, it has few uses.

Does the application give your module the username and password used to
authenticate to the external db?  Would they be relevant to other modules?
If your module gets the username/password from its own configuration file,
there's no reason to store this username in one of the PAM_ITEMs: the
PAM_ITEMs are there for module<->module and application<->module
intercommunication.

Steve Langasek
postmodern programmer





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []