From owner-freebsd-hackers Fri Dec 7 16: 5:18 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 3C0E937B405 for ; Fri, 7 Dec 2001 16:05:09 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id fB8054b07635 for ; Fri, 7 Dec 2001 18:05:05 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 7 Dec 2001 18:05:04 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: freebsd-hackers@freebsd.org Subject: New PAM module question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please direct me to the right mailling list if this is out of scope... I have just completed a new pam module (pam_vuser) for the intended purpose of substituting real usernames for virtual username/passwords typed in at login time. The module does the following: 1) End users attempt to login to a service with user@domain.com 2) pam_vuser looks up user@domain.com in a mysql DB MySQL DB looks like: Virtual User Real UID ----------------------------------------- user@domain.com --> id00001 user@domain1.com --> id00002 ... userX@domainX.com --> idX 3) pam_vuser retrieves Real UserID from DB 4) pam_vuser checks real_uid with system passwd (Make sure user exists): getpwnam(real_user) 5) pam_vuser checks pwd password to match against what the the end user typed in 6) If the passwords match, pam_vuser does a: pam_set_item(pamh,PAM_USER,real_user); return (PAM_SUCCESS); Of course, there are other things that are going on but are out of scope for this message. The idea was to tie all of the services, IMAP, POP, SSH, FTP into this module so we could support multiple username/domains and have duplicate usernames. This module works great for telnet/login. However, I've ran into a hitch with other Applications. Most pam-aware applications seem to do the following: 1) Application passes username,pass to pam_module 2) pam_module returns PAM_SUCCESS after authenticating 3) App (usually) then does getpwnam on the username passed from the end user in step #1 4) Application then proceeds with username and does it's duty As you can see this is a problem for my module. Since my module changes the username in question, the app never checks for the username after the PAM_SUCCESS is returned. What I really need the Application to do after step #2 is to: pam_get_item(pamh,PAM_USER,new_username); Then proceed onto step #3 with the new_username provided from my module. So anyway, onto my question. Do I have to patch all of the above applications in order for them to get the username before setting them up? Or is there a better way...? ANy help would be greatly appreciated. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message