oath-toolkit-help
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] pam module is not working for non root applications


From: Peter Hudec
Subject: [OATH-Toolkit-help] pam module is not working for non root applications
Date: Sun, 12 Jul 2015 22:16:03 +0200
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

Hi,

I tried to use oath pam module with non-root running software such as
freeradius and tacacs+. Generally there is a problem with such a running
software, that the access the userfile is denied.

The permission to the userfile and it's directory must be RW /tested on
debian jessie, 2.4.1/.

How do you use pam_oath with software running as regular user?

There are several ways how to do it , but the best one (4) needs a
little bit programming.

1)
run the software as root
I really do not want to use this option.

2)
extended acl
The common supplementary group is not working, since the update_userfile
will create new userfile as <0600/uid/gid>. Extended acl should work,
but in that case the RW access to the userfile will be granted to too
many processes and potentially users.

3)
separate userfile for each sw defined in the pam configurations.


4)
create module helper
Do it tat way how pam_unix works. It has helper binary unix_chkpwd.


we can help with the 4) but first we need to know, if
- there is any other way how to solve our issue
- the patch will be merged to upstream

        best regards
                Peter



reply via email to

[Prev in Thread] Current Thread [Next in Thread]