Revisited: how to get 'auth' result?
Jesse Zbikowski
embeddedlinuxguy at gmail.com
Wed Nov 12 02:18:23 UTC 2008
This issue was raised a couple of times this spring without response.
I would like to know, if there is more than one path for
authorization in the PAM stack, which one actually succeeded. For
example, say I have a PAM configuration file like this:
auth sufficient pam_first.so
auth sufficient pam_second.so
acct sufficient pam_first.so
acct sufficient pam_second.so
The behavior I want is: whichever module succeeds for authorization,
use the same module when the application makes an accouting request.
The module pam_tacplus.so is "well-behaved" in this regard, in that
acct will not succeed unless auth already did. pam_radius_auth.so
however, at least in my configuration, it is happy to succeed in the
acct request after a different module handled the auth request, which
breaks my scheme.
If it is not possible to get this behavior from PAM out of the box,
would it make sense to write a custom PAM module to handle this logic?
That is, my module would internally call pam_authenticate() /
pam_acct_mgmt() on other PAM services, according to my specifications.
With reference to the original posts on this topic: right now I would
be if my application could figure out whether it was pam_first.so or
pam_second.so which succeeded, perhaps via pam_get_item()
https://www.redhat.com/archives/pam-list/2008-June/msg00000.html
https://www.redhat.com/archives/pam-list/2008-May/msg00003.html
More information about the Pam-list
mailing list