[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM_USER or PAM_RUSER??



Max Liccardo wrote:
> 
> Steve Langasek ha scritto:
> 
> > The terminology tends to be a bit confusing.  When it says 'the service',
> > it refers to the service the user will have access to *after* PAM has
> > authenticated.  E.g., should we give this person (PAM_RUSER) access to the
> > rlogin service (PAM_RLOGIN) as user 'root' (PAM_USER)?
> >
> 
> right...the problem is that PAM is local-user oriented, i.e. PAM is a
> way to authenticate a local user by some external modules and not from
> an application directly. The problem arises when I want to authenticate
> a non local-user(pop, tacacs, radius). In this case there is no
> information about the user into the system repository (etc/passwd or
> similar)..in fact the user doesn't really exist ;-)...it is just an
> entry into some external repository (no uid, no euid and so on)!!!
> the only user is the one with two identity: one local to the sistem
> running the module (i.e. the user radius if the server runs other than
> root) and one for the repository connection. a bit confusing,
> really.....

Does this make it any clearer (section 4.1):


ftp://linux.kernel.org/pub/linux/libs/pam/pre/doc/draft-morgan-pam-07.txt

I believe that you want to put the name of your non local-user into
PAM_USER. Your application needs to avoid using this username for any
getpw* calls (unless it can resolve the mapping of this user to some
uid).

Cheers

Andrew





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []