SuSE loading PAM?
Joe Lewis
joe at joe-lewis.com
Tue Jun 22 21:41:38 UTC 2004
Jason Gerfen wrote:
> I am writting a pam module and it works fine, does simple logging of
> login attempts etc. The problem with this is it only seems to load if I
> use the /etc/pam.d/gdm file to load it.
For all Gnome Display Manager login's, it will use the gdm file.
> From what I understand about PAM the /etc/pam.d/login file should be
> the one to load the module to log authentication attempts correct?
/etc/pam.d/login is used for text-console-based logins. This is the
beauty of PAM - different login mechanisms for different services.
> Second question, as I am writting this I attempt to get the current
> owner of the process and it is coming up as UID & EUID as 3? Is this a
> system user? I could not google up anything on this behavior.
Look in /etc/passwd for the account with UID of 3.
> My third question is if PAM is not running as the root user is there an
> existing module that will switch to the root user on the fly in order to
> run some authentication commands before returning to the normal user?
> Any help is appreciated...
There is no mechanism to switch to root for the authentication. Often,
a service will be running as root. When an authentication request comes
in, a separate process will be fork()ed, and that process switches from
root to the user that just authenticated, while the service starts
listening again for new connections.
If you build a PAM-aware application, make sure that it is executed as
root, or any authentications will fail (because only root has access to
the shadow password files).
I was playing with a test application, and it would only allow the
current user to authenticate. As soon as the application became root
and could gain access to the shadow files, I could authenticate any user
in the files.
I hope I've answered a few questions in my ramblings. Let me know if I
haven't.
Joe
More information about the Pam-list
mailing list