Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PAM expertise sought

0 views
Skip to first unread message

Jay G. Scott

unread,
Sep 4, 2002, 3:16:03 PM9/4/02
to

I've been looking at PAM, and it's a handful, IMHO.

Here's what I'm after; the question is, is there something
I can cannibalize to do this?

When a user logs in, I want to prompt them for the group
they intend to use. I can do all the logic of checking
to see they're in the group and so forth, what I can't figure
out is how to go about giving the prompt and getting the
response.

Do I want to add to the stack in pam.conf? That is, do I
want to simply add a line in a configuration file and
(I assume) supply the module to process that line?
That seems like the thing I'd most like to do. I want
to be able to run this on Solaris if necessary. If I
can write a module to process a line in pam.conf, then
it's trivial to add in the module and edit pam.conf, and
viola, I've got my extra requirement on any and all
machines I want.

I tried looking in several modules which I thought
would do something similar, but i just don't see
where the prompt is being sent, or the reply gotten.
Can you tell me where to look in an existing module
so I can see how it's done?

Or maybe I have the wrong idea altogether about PAM?

j.
--
Jay Scott 512-835-3553 g...@arlut.utexas.edu
Head of Sun Support, Sr. Operating Systems Specialist
Applied Research Labs, Computer Science Div. S224
University of Texas at Austin

Jay G. Scott

unread,
Sep 6, 2002, 4:10:28 PM9/6/02
to
In article <al5m5j$c...@csdsun1.arlut.utexas.edu>,
Jay G. Scott <g...@arlut.utexas.edu> wrote:

[snip]

>
>When a user logs in, I want to prompt them for the group
>they intend to use. I can do all the logic of checking
>to see they're in the group and so forth, what I can't figure
>out is how to go about giving the prompt and getting the
>response.

[snip]

a tip from Bruce Hudson (thx) got me started.


what i found out was that, while you can call setgid() from
lots of places, the only one which i found would remember
that setgid() had been called was in the pam_sm_setcred()
routine. however, i couldn't get pam_setcred() to do the
prompting like i thought it should. pam_sm_authenticate()
would prompt, but setgid() wouldn't be remembered.

i also didn't know that the way to get values passed from
one routine to another was via pam_set_data(),
pam_get_data(). now it's easy: authenticate prompts
and calls pam_set_data(), setcred calls pam_get_data()
and calls setgid().

that, plus some relatively easy mods to pam.conf, and
i'm almost in business.

i notice that CDE's window for getting the group (my
addition, that is) contains the username, as though
that was the default group. seems like that ought
to be a matter of zeroing the response msg before
calling the prompt, but to me, it looks like it is
zeroed. perhaps i can simply supply new structs or
something.....

0 new messages