Feature suggestion - strip prefix and/or suffix on supplied username
Tomas Mraz
tmraz at redhat.com
Fri Jan 30 14:47:58 UTC 2015
On Pá, 2015-01-30 at 13:59 +0000, Giddings, Bret wrote:
> Hi all,
>
> I can't find anything online that matches this so it doesn't look like
> pam already has this feature.
>
> At my site, many users will either use NETBIOSDOMAIN\username or
> username at dns-domain when trying to authenticate. Depending on luck,
> either might work on things windows related. However, when we slip
> into the linux realm, both will fail. So, I was wondering if there
> were a module which would sanitise the supplied username and strip
> (specified) prefixes or suffixes if present. That would then result in
> far fewer support calls to the helpdesk when they were in fact
> presenting perfectly valid credentials, albeit with known but
> redundant prefixes or suffixes.
>
> Is this possible at all?
The problem is that some services that call PAM, namely sshd, do not
support changing the user name inside the PAM modules. The modules can
internally change the user name but it will not affect getpwnam() calls
outside the PAM. So the module as you describe it would not be too
useful with such services.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list