Authen::PAM::FAQ man page on OpenMandriva

Man page or keyword search:  
man Server   8135 pages
apropos Keyword Search (all sections)
Output format
OpenMandriva logo
[printable version]

PAM::FAQ(3)	      User Contributed Perl Documentation	   PAM::FAQ(3)

NAME
       Authen::PAM::FAQ - Frequently-Asked Questions about Authen::PAM.

SYNOPSIS
       perldoc Authen::PAM::FAQ

VERSION
       This document is currently at version 0.05, as of May 4, 2005

DESCRIPTION
   1. Can I authenticate a user non interactively?
       Yes, you can although not in a very clean way. The PAM library has a
       mechanism, in a form of a conversation function, to send and receive
       text data from the user. For details of the format of the conversation
       function consult the Authen::PAM manual.	 This function receives a list
       of code/string pairs. There are two codes (PAM_TEXT_INFO and
       PAM_ERROR_MSG) for displaying the associated string to the user and two
       codes (PAM_ECHO_ON and PAM_ECHO_OFF) for getting input from the user.
       As you can see the codes are rather general and you can not be
       completely sure when you are asked for a user name and when for a
       password. However, the common practice is that PAM_ECHO_ON is used for
       a user name and PAM_ECHO_OFF is used for a password. So, what you can
       do is to write your own conversation function which ignores the
       PAM_TEXT_INFO and PAM_ERROR_MSG codes and returns the user name for the
       code PAM_ECHO_ON and the password for the code PAM_ECHO_OFF. If you
       pass the user name in the initialization function then usually you will
       not be asked for it. Here is a simple example how to do this:

	 use Authen::PAM;
	 use POSIX qw(ttyname);

	 $service = "login";
	 $username = "foo";
	 $password = "bar";
	 $tty_name = ttyname(fileno(STDIN));

	 sub my_conv_func {
	   my @res;
	   while ( @_ ) {
	       my $code = shift;
	       my $msg = shift;
	       my $ans = "";

	       $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
	       $ans = $password if ($code == PAM_PROMPT_ECHO_OFF() );

	       push @res, (PAM_SUCCESS(),$ans);
	   }
	   push @res, PAM_SUCCESS();
	   return @res;
	 }

	 ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
		die "Error code $pamh during PAM init!";

	 $res = $pamh->pam_set_item(PAM_TTY(), $tty_name);
	 $res = $pamh->pam_authenticate;
	 print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();

       The Authen::PAM module comes with a default conversation function which
       you can find in the file PAM.pm.

   2. Can I change a password non interactively?
       All the discussion of the previous question also applies here.  There
       is however one serious complication. When changing a password it is
       quite possible that the PAM library will send you at lest two
       PAM_ECHO_OFF prompts - one for the old password and one or two for the
       new one. Therefore, the first thing you should do is to see what
       sequence of prompts is produced by your service. Then the conversation
       function should include some state variable to distinguish the
       different prompts. Here is an example:

	 use Authen::PAM;

	 $service = "passwd";
	 $username = "foo";
	 $oldpassword = "old_pass";
	 $newpassword = "new_pass";

	 sub my_conv_func {
	   my @res;
	   while ( @_ ) {
	       my $code = shift;
	       my $msg = shift;
	       my $ans = "";

	       $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
	       if ($code == PAM_PROMPT_ECHO_OFF() ) {
		 $ans = $oldpassword if ($state == 0);
		 $ans = $newpassword if ($state == 1);
		 $ans = $newpassword if ($state == 2);

		 $state++;
	       }

	       push @res, (PAM_SUCCESS(),$ans);
	   }
	   push @res, PAM_SUCCESS();
	   return @res;
	 }

	 ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
		die "Error code $pamh during PAM init!";

	 $state = 0;
	 $res = $pamh->pam_chauthtok;
	 print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();

       If you are running the script as root then most likely you will not be
       prompted for an old password. In this case you can simply return the
       new password at the ECHO_OFF prompt.

       The $msg variable contains the text of the input prompt which you can
       use for additional test or for debugging purposes, e.g.

	 if ($code == PAM_PROMPT_ECHO_OFF() ) {
	   if ($state>=1 || $msg=~/new/i) { # are we asked for a new password
	      $ans = $newpassword;
	   } else {
	      $ans = $oldpassword;
	   }
	   $state++;
	 }

   3. Why are the constants PAM_AUTHTOK and PAM_OLDAUTHTOK not avaliable?
       The PAM_AUTHTOK and PAM_OLDAUTHTOK items can be used to pass
       authentication tokens (passwords) from one module to another. However,
       they are avaliable only to PAM modules and not to PAM applicatinos. If
       you have a special setup in which you really need to preset the
       password from the application (e.g. using a radius server) then you can
       use the pam_set_authtok module avaliable from
       http://www.uni-hohenheim.de/~schaefer/linux/pam/pam_set_authtok.html
       <http://www.uni-hohenheim.de/~schaefer/linux/pam/pam_set_authtok.html>.

SEE ALSO
       Authen::PAM

AUTHOR
       Nikolay Pelov <NIKIP at cpan.org>

COPYRIGHT
       Copyright (c) 1998-2005 Nikolay Pelov. All rights reserved. This file
       is part of the Authen::PAM library. This library is free software; you
       can redistribute it and/or modify it under the same terms as Perl
       itself.

perl v5.16.3			  2005-06-30			   PAM::FAQ(3)
[top]

List of man pages available for OpenMandriva

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net