get ITEMs in different pam context

Tomas Mraz tmraz at redhat.com
Tue Aug 4 07:41:56 UTC 2015


On Út, 2015-08-04 at 00:04 +0200, aurel wrote:
> Hello,
> 
> I'm developing a module who uses the current user password store in pam 
> context (PAM_AUTHTOK) recovered with pam_get_item().
> For the moment I placed my module in sudo configuration file, after 
> pam_unix.so for preset the user. (it works fine)
> 
> But now I have to use my module with another application (mine). In his 
> configuration file, I specified my module for auth and session.
> 
> This application will be started by sudo ($sudo myapp). So, is it 
> possible to recover PAM_AUTHTOK in my module started by myapp ? Knowing 
> that myapp was started by sudo (so, my module has already been called 
> once).
> 
> In this way, the user can be enter his password only one time with sudo.
> 
> If I want get PAM_AUTHTOK in my module (call by my app) I have to invoke 
> pam_unix again. (pamh being different)

No, this is not possible. The pam items do not cross the pam context
handle boundary. But look at pam_timestamp module which if properly
configured, could help you to achieve the same effect.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)





More information about the Pam-list mailing list