Can I set the user to authenticate as?
Wolfgang Draxinger
Wolfgang.Draxinger at physik.uni-muenchen.de
Tue Jan 8 01:12:22 UTC 2013
On Fri, 4 Jan 2013 16:13:27 -0800
Dylan Martin <dmartin at seattlecentral.edu> wrote:
> With pam's flow-through-the-stack nature, I thought there might be a
> module that would change the user name for authentication purposes.
Theoretically this is possible. However some services do break under
these conditions if the username changes. For example OpenSSH has a
problem with this. The main exception is, if characters are turned
upper- or lowercase.
Some time ago I did write a PAM module that indeed alters the username.
You can find the source code here:
https://github.com/datenwolf/pam_propperpwnam
>From the README:
|pam_propperpwnam
|
|A PAM module that uses the entered login name as key to
|query the password database configured through nsswitch.conf
|and replaces the login name with what has been returned.
|
|On the typical system this module performs an identity transform.
|The main usage scenario are systems in networks where a user name
|is used in several distinct authentication systems, some of them
|being case sensitive and others not. For example the mail system
|may do case insensitive username lookups, while the workstations
|are case sensitive. In such environments users are often puzzeled
|about a username working in one situation does not work in another.
There's a pam_python module, that allows you to write PAM modules with
Python. This is great for experimentation, I suggest you experiment
with this.
But keep in mind that some things will break if you alter the login
name; technically those things are broken and should be fixed. Good
luck with filing bugs.
Cheers,
Wolfgang
More information about the Pam-list
mailing list