RFE: Set PAM_USER and PAM_AUTHTOK before starting authentication #735
Comments
|
Hi @akkornel I'm having a look at this area at the moment. The pam_start(() change you mention was addressed by #1883. The pam_set_item(,PAM_AUTHTOK,) call can't be done from an application as you request. This is raised on stackoverflow but not adequately answered. For that we need to look at the code for linux-PAM. The relevent code from pam_set_item() is here:- This is also part of the opengroup standard:- https://pubs.opengroup.org/onlinepubs/8329799/chap4.htm#tagcjh_05_02_01_01
So AFAICT, avoiding the pam conversation using this approach is not possible. There does not seem to be a way for use to set PAM_AUTHTOK. Any thoughts? |
|
I'm closing this for now, as I can't see a way to implement the setting of PAM_AUTHTOK. This seems to be discouraged by the PAM developers. |
Hello!
I'd like to request that
PAM_USERandPAM_AUTHTOKboth be set withinauth_userpass(in https://github.com/neutrinolabs/xrdp/blob/devel/sesman/verify_user_pam.c). This will allow basic PAM stacks to run possibly without the need for prompting for a username/password in the conversation mechanism.Here's what I was thinking in terms of implementation:
pam_start, for the second parameter, provideuser(the string passed in to the function call). That will automatically set thePAM_USERitem1.pam_set_itemto set thePAM_AUTHTOKitem type to be the user's password (thepassstring passed into the function call).2For PAM stacks to take advantage of it, modules which prompt for a password (like
pam_unix) would have to be invoked with thetry_first_passoruse_first_passoption, but forpam_unixtry_first_passis the default already.If all of this works, then a successful authentication will not require invoking the conversation function.
Please let me know if you have any questions about my request!
The text was updated successfully, but these errors were encountered: