pam and parallelism

Tomas Mraz tmraz at redhat.com
Wed Nov 22 09:40:53 UTC 2017


On Wed, 2017-11-22 at 09:11 +0000, thilo.cestonaro at ts.fujitsu.com
wrote:
> Hi all!
> 
> Is there a mechanism/api which I can use to have two authentication
> modes in
> parallel. 
> 
> E.g. the user can either login via password or via usb token.
> One way would be to look for the usb token for 10 sec. and then start
> over to
> password authentication. But IMHO would it be a better way if the
> wait for the
> usb token is running in the background and if the token is plugged
> in, the user
> is logged in automatically regardless if he is typing in a password
> or not.
> However the user is able to type in the password anyway to login via
> password,
> altought the usb token pam module is looking for the token.
> 
> Hope I could explain what I want to do :).
> 
> Is there already such API and what would be the key functions for
> this way?
> 
> Thanks for any advice!

You should be able to run two different PAM authentication stacks in
two threads in parallel. Of course once one of the stacks succeeds,
only one session call should be done and the other unfinished
authentication stack should be aborted. You have to provide the
synchronization mechanisms on your own though. The example of
application that does this is GDM.

-- 
Tomáš Mráz
Red Hat

No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

 * Google and NSA associates, this message is none of your business.
 * Please leave it alone, and consider whether your actions are
 * authorized by the contract with Red Hat, or by the US constitution.
 * If you feel you're being encouraged to disregard the limits built
 * into them, remember Edward Snowden and Wikileaks.




More information about the Pam-list mailing list