Passing information from app to module by pam_*env

Steve Langasek vorlon at debian.org
Sun Sep 9 22:11:51 UTC 2007


On Wed, Sep 05, 2007 at 01:34:41PM +0200, Tobias Heide wrote:
> Steve Langasek schrieb:
> > If you have to code both your app and your module to exchange extra
> > information, then it's no longer very "pluggable", is it?

> Note: only the application passes data to the module, not the other way 
> round. The module should have the ability to make more granular 
> authorisation decisions. ("Shall user X be granted to access Port 80 of 
> Host Y?"). I just want to pass the information, that the requested 
> "resource" is Port 80 of Host Y.

> > When a module needs additional information in order to do its job, it's
> > expected that the module will use the conversation function provided 
> by the
> > app in order to request this information from the user in some fashion.

> The problem with that is, that most existing applications simply send 
> the password, when PAM_PROMPT_ECHO_OFF is sent to them. So I would have 
> to add new messages to the PAM library. I don't think, that's cool.

Only a handful of non-interactive applications do this.  Most applications
correctly forward such requests for information to the user.

But again, if the application /also/ needs to know this information, you
don't seem to have anything particularly pluggable.  If the module and
application have to be used together, there's not much point in making a PAM
module at all.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/




More information about the Pam-list mailing list