[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] pam_oath with non-root access
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] pam_oath with non-root access |
|
Date: |
Sun, 27 Jan 2013 19:46:30 +0100 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) |
Christian Hesse <address@hidden> writes:
> Christian Hesse <address@hidden> on Sun, 2011/05/01 17:14:
>> > How does xscreensaver/pam_unix solve this for e.g. /etc/shadow?
>>
>> I took a deeper look at pam_unix and unix_chkpwd. pam_unix always calls
>> unix_chkpwd via execev() to authenticate the user.
>> I'm not sure I could implement this for pam_oath... Is anybody willing to do
>> this? I will take a deeper look if I have some spare time.
>
> Nothing happened to make pam_oath work with xscreensaver and the like
> (non-root services), no?
Not that I recall.
> Ok, some thoughts on that... pam_oath.so should not link to liboath.so but
> call a little helper program. The latter is linked against liboath.so and set
> uid root to access the usersfile.
> Is that the correct way or do we need to do it different?
Yes, that sounds like a possible way forward. I don't like setuid
binaries though. A daemon approach may be safer, but that is more
complex and doesn't work if the daemon isn't always running. If you
want to work on a setuid helper that would be very nice. It could be
used when some PAM configuration token is present, right?
/Simon