using pam_sm_auth
Tomas Mraz
tmraz at redhat.com
Thu Oct 6 17:01:18 UTC 2011
On Thu, 2011-10-06 at 12:12 -0400, leonel06013 at cfg.jovenclub.cu wrote:
> this is the function I have redefine for get the user and password from the user in
> the Gnome Windows login
>
> #define PAM_SM_AUTH
>
> #include <security/pam_modules.h>
> #include <security/pam_appl.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/types.h>
> #include <pwd.h>
> #include <syslog.h>
>
>
> PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const
> char ** argv)
> {
> const char * userName = NULL; //var to get the user name
> char * userPasswd; //var to get the user password
> //others var
> int pam_err, retry;
>
> //geting the users name, this work fine
> if (pam_get_user(pamh, &userName, NULL) != PAM_SUCCESS)
> {
> syslog(LOG_ERR, "cannot determine user name");
> return PAM_USER_UNKNOWN;
> }
>
> if ( pam_get_item(pamh, PAM_AUTHTOK, (const void **)&userPasswd) != PAM_SUCCESS)
> {
> syslog(LOG_ERR, "Error al extra el pass del usuario");
> return PAM_SYSTEM_ERR;
> }
>
> return PAM_SUCCESS;
> }
>
> this is the main instruction of my function, the part where I get the user name and
> de password, getting the user name work fine, but I can't obtain his password.
> This is a service module for PAM, not for and app.
>
> I need obtain all this data when the user get login on Gnome, having this data I
> authenticate those values against my database and them I set knew credentials with
> pam_set_item, but this last part doesn't matter because the first part doesn't work
> yet.
>
> If I call pam_get_authtok() function all work ok, I get the password fine, but I
> have to put the password twice, one for the function pam_get_authtok() and other for
> the system I guess, the same thing happened when I use the conversation function.
>
> Then my problem now are two, one how can I get the user password without use
> pam_get_authtok or the conversation function? , and if I have to use one of those,
> how can avoid the second authentication in the Gnome window login.
The pam_get_authtok() supports the try_first_pass and use_first_pass
options for the module. So you just put one of these options to the
service configuration file in /etc/pam.d/ and it should work fine.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list