Pam-list Digest, Vol 33, Issue 11
Andreas Schindler
schindler at az1.de
Thu Nov 30 08:58:14 UTC 2006
pam-list-request at redhat.com wrote:
> Subject:
> Cancel running only one module
> From:
> "Josef Hajas" <josef at hajas.net>
> Date:
> Tue, 28 Nov 2006 18:02:17 +0100
> To:
> pam-list at redhat.com
>
> To:
> pam-list at redhat.com
>
>
> Hello,
> I'm implementing pam_bioapi (for using my fingerprint reader) and I
> want to implement possibility to cancel running biometrics operation.
> Let's say I have this config:
> auth sufficient pam_bioapi.so [+some parameters]
> auth required pam_unix.so
>
> and I would like have some cancel button in application (for example
> in gnome-screensaver) which cancel only authenticate of pam_bioapi but
> still try to authenticate by pam_unix. Is there some standard way how
> to achive this? I had an idea to use pam_conv and return error, but I
> can't be sure that some pam_conv come after user press cancel. I need
> something I can call from application since pam_authenticate()
> running.
>
Josef,
as far as i understand you, you want to cancel one specific PAM module's
operation without effect to the other ones.
IMHO 'cancel' means to PAM: the user refuses to authenticate. The correct
behavior to this action would be to return an error to pam_conv.
With the above priority-stacking (sufficient pam_bioapi, then required
pam_unix) you should get along quite fine.
Your problem is the altenate user dialogue, because pam_bioapi wouldn't
ask for a user name or a password, but pam_unix needs this. So, be sure
pam_bioapi clears out 'user' via an empty pam_set_item(). Because a
authentication token wasn't set by pam_bioapi AND no argument 'use_first_pass'
in pam_unix, the latter should start a complete new authentication
dialogue. To be sure what's going on, switch on debugging in pam_unix
and trace your /var/log/auth.log.
Regards, Andreas
--
Dr.-Ing. Andreas Schindler
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
Telefon 06103-57187-21
Telefax 06103-373245
schindler at az1.de
www.az1.de
More information about the Pam-list
mailing list