Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PAM expertise sought

12 views
Skip to first unread message

Jay G. Scott

unread,
Sep 4, 2002, 3:16:03 PM9/4/02
to

I've been looking at PAM, and it's a handful, IMHO.

Here's what I'm after; the question is, is there something
I can cannibalize to do this?

When a user logs in, I want to prompt them for the group
they intend to use. I can do all the logic of checking
to see they're in the group and so forth, what I can't figure
out is how to go about giving the prompt and getting the
response.

Do I want to add to the stack in pam.conf? That is, do I
want to simply add a line in a configuration file and
(I assume) supply the module to process that line?
That seems like the thing I'd most like to do. I want
to be able to run this on Solaris if necessary. If I
can write a module to process a line in pam.conf, then
it's trivial to add in the module and edit pam.conf, and
viola, I've got my extra requirement on any and all
machines I want.

I tried looking in several modules which I thought
would do something similar, but i just don't see
where the prompt is being sent, or the reply gotten.
Can you tell me where to look in an existing module
so I can see how it's done?

Or maybe I have the wrong idea altogether about PAM?

j.
--
Jay Scott 512-835-3553 g...@arlut.utexas.edu
Head of Sun Support, Sr. Operating Systems Specialist
Applied Research Labs, Computer Science Div. S224
University of Texas at Austin

Jay G. Scott

unread,
Sep 6, 2002, 4:10:28 PM9/6/02
to
In article <al5m5j$c...@csdsun1.arlut.utexas.edu>,
Jay G. Scott <g...@arlut.utexas.edu> wrote:

[snip]

>
>When a user logs in, I want to prompt them for the group
>they intend to use. I can do all the logic of checking
>to see they're in the group and so forth, what I can't figure
>out is how to go about giving the prompt and getting the
>response.

[snip]

a tip from Bruce Hudson (thx) got me started.


what i found out was that, while you can call setgid() from
lots of places, the only one which i found would remember
that setgid() had been called was in the pam_sm_setcred()
routine. however, i couldn't get pam_setcred() to do the
prompting like i thought it should. pam_sm_authenticate()
would prompt, but setgid() wouldn't be remembered.

i also didn't know that the way to get values passed from
one routine to another was via pam_set_data(),
pam_get_data(). now it's easy: authenticate prompts
and calls pam_set_data(), setcred calls pam_get_data()
and calls setgid().

that, plus some relatively easy mods to pam.conf, and
i'm almost in business.

i notice that CDE's window for getting the group (my
addition, that is) contains the username, as though
that was the default group. seems like that ought
to be a matter of zeroing the response msg before
calling the prompt, but to me, it looks like it is
zeroed. perhaps i can simply supply new structs or
something.....

0 new messages