Date: Fri, 7 Dec 2001 16:20:27 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: Nick Rogness <nick@rogness.net> Cc: freebsd-hackers@freebsd.org Subject: Re: New PAM module question Message-ID: <Pine.BSF.4.21.0112071617210.16845-100000@InterJet.elischer.org> In-Reply-To: <Pine.BSF.4.21.0112071754150.4544-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Your first task would be to show that it is a generally useful and expected behaviour to end up in a login with a different username to that which you started out with. If you can prove that there are other useful reasons to do this, in addition to your own app, then certainly it would make sense to eddit as many apps as you can to make them do teh "right thing". It is only however the "right thing" if this is documanted to be the way that PAM interraction is supposed to be done. Just my POV. On Fri, 7 Dec 2001, Nick Rogness wrote: > > Please direct me to the right mailling list if this is out of scope... > > I have just completed a new pam module (pam_vuser) for the intended > purpose of substituting real usernames for virtual username/passwords > typed in at login time. The module does the following: > > > 1) End users attempt to login to a service with user@domain.com > 2) pam_vuser looks up user@domain.com in a mysql DB > > MySQL DB looks like: > > Virtual User Real UID > ----------------------------------------- > user@domain.com --> id00001 > user@domain1.com --> id00002 > ... > userX@domainX.com --> idX > > 3) pam_vuser retrieves Real UserID from DB > 4) pam_vuser checks real_uid with system passwd (Make sure user > exists): > > getpwnam(real_user) > > 5) pam_vuser checks pwd password to match against what the > the end user typed in > 6) If the passwords match, pam_vuser does a: > > pam_set_item(pamh,PAM_USER,real_user); > return (PAM_SUCCESS); > > Of course, there are other things that are going on but are out of > scope for this message. > > The idea was to tie all of the services, IMAP, POP, SSH, FTP into this > module so we could support multiple username/domains and have duplicate > usernames. > > This module works great for telnet/login. However, I've ran into a > hitch with other Applications. Most pam-aware applications seem to do the > following: > > 1) Application passes username,pass to pam_module > 2) pam_module returns PAM_SUCCESS after authenticating > 3) App (usually) then does getpwnam on the username passed from > the end user in step #1 > 4) Application then proceeds with username and does it's duty > > As you can see this is a problem for my module. Since my module > changes the username in question, the app never checks for the > username after the PAM_SUCCESS is returned. What I really need the > Application to do after step #2 is to: > > pam_get_item(pamh,PAM_USER,new_username); > > Then proceed onto step #3 with the new_username provided from my module. > > So anyway, onto my question. > > Do I have to patch all of the above applications in order for them to get > the username before setting them up? Or is there a better way...? > > ANy help would be greatly appreciated. > > Nick Rogness <nick@rogness.net> > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112071617210.16845-100000>