get ITEMs in different pam context
Tomas Mraz
tmraz at redhat.com
Tue Aug 4 07:41:56 UTC 2015
On Út, 2015-08-04 at 00:04 +0200, aurel wrote:
> Hello,
>
> I'm developing a module who uses the current user password store in pam
> context (PAM_AUTHTOK) recovered with pam_get_item().
> For the moment I placed my module in sudo configuration file, after
> pam_unix.so for preset the user. (it works fine)
>
> But now I have to use my module with another application (mine). In his
> configuration file, I specified my module for auth and session.
>
> This application will be started by sudo ($sudo myapp). So, is it
> possible to recover PAM_AUTHTOK in my module started by myapp ? Knowing
> that myapp was started by sudo (so, my module has already been called
> once).
>
> In this way, the user can be enter his password only one time with sudo.
>
> If I want get PAM_AUTHTOK in my module (call by my app) I have to invoke
> pam_unix again. (pamh being different)
No, this is not possible. The pam items do not cross the pam context
handle boundary. But look at pam_timestamp module which if properly
configured, could help you to achieve the same effect.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list