Pam-list Digest, Vol 33, Issue 11

Andreas Schindler schindler at az1.de
Thu Nov 30 08:58:14 UTC 2006 

pam-list-request at redhat.com wrote:
> Subject:
> Cancel running only one module
> From:
> "Josef Hajas" <josef at hajas.net>
> Date:
> Tue, 28 Nov 2006 18:02:17 +0100
> To:
> pam-list at redhat.com
> 
> To:
> pam-list at redhat.com
> 
> 
> Hello,
> I'm implementing pam_bioapi (for using my fingerprint reader) and I
> want to implement possibility to cancel running biometrics operation.
> Let's say I have this config:
> auth     sufficient    pam_bioapi.so [+some parameters]
> auth     required     pam_unix.so
> 
> and I would like have some cancel button in application (for example
> in gnome-screensaver) which cancel only authenticate of pam_bioapi but
> still try to authenticate by pam_unix. Is there some standard way how
> to achive this? I had an idea to use pam_conv and return error, but I
> can't be sure that some pam_conv come after user press cancel. I need
> something I can call from application since pam_authenticate()
> running.
> 

Josef,

as far as i understand you, you want to cancel one specific PAM module's
operation without effect to the other ones.

IMHO 'cancel' means to PAM: the user refuses to authenticate. The correct
behavior to this action would be to return an error to pam_conv.

With the above priority-stacking (sufficient pam_bioapi, then required
pam_unix) you should get along quite fine.

Your problem is the altenate user dialogue, because pam_bioapi wouldn't
ask for a user name or a password, but pam_unix needs this. So, be sure
pam_bioapi clears out 'user' via an empty pam_set_item(). Because a
authentication token wasn't set by pam_bioapi AND no argument 'use_first_pass'
in pam_unix, the latter should start a complete new authentication
dialogue. To be sure what's going on, switch on debugging in pam_unix
and trace your /var/log/auth.log.


Regards, Andreas
-- 
Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich

Telefon 06103-57187-21
Telefax 06103-373245

schindler at az1.de
www.az1.de

More information about the Pam-list mailing list