[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] pam_oath with non-root access

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] pam_oath with non-root access
Date: Sun, 27 Jan 2013 19:46:30 +0100
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)

Christian Hesse <address@hidden> writes:

> Christian Hesse <address@hidden> on Sun, 2011/05/01 17:14:
>> > How does xscreensaver/pam_unix solve this for e.g. /etc/shadow?
>> I took a deeper look at pam_unix and unix_chkpwd. pam_unix always calls
>> unix_chkpwd via execev() to authenticate the user.
>> I'm not sure I could implement this for pam_oath... Is anybody willing to do
>> this? I will take a deeper look if I have some spare time.
> Nothing happened to make pam_oath work with xscreensaver and the like
> (non-root services), no?

Not that I recall.

> Ok, some thoughts on that... pam_oath.so should not link to liboath.so but
> call a little helper program. The latter is linked against liboath.so and set
> uid root to access the usersfile.
> Is that the correct way or do we need to do it different?

Yes, that sounds like a possible way forward.  I don't like setuid
binaries though.  A daemon approach may be safer, but that is more
complex and doesn't work if the daemon isn't always running.  If you
want to work on a setuid helper that would be very nice.  It could be
used when some PAM configuration token is present, right?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]