We are trying to bind a Linux machine (debian 4.0) to W2k3 AD. We have configured kerberos properly so that we can get TGTs. And users authenticate properly. However, PAM seems to be the sticky wicket. For example when we try to SSH to the linux machine as one of the AD users, the authentication succeeds (as per the auth.log) but I n...
I am new to the topic of cryptography and am studying PKI and PKCS etc. I understand the basic concept of PKI and how it is used for encryption/decryption. I am confused however about how a hardware token like a USB token or a smartcard is used for secure login to your computer. Here are steps as I understand them and the part I am confu...
Currently I have a graphical application that has two levels of access, operator and administrator. The login and authentication is all homebrewed and I'd like to switch the application to use PAM instead. I'm not sure what the right way to do that is. Correct me if I'm wrong, but it seems that PAM boils down to a "yes" or "no" check--y...
Hi, I'm interested in writing a PAM module that would make use of a popular authentication mechanism for Unix logins. Most of my past programming experience has been in Python, and the system I'm interacting with already has a Python API. I googled around and found pam_python, which allows PAM modules to invoke the python intrepreter, t...
Can anyone recommend how to implement SecurID authentication in Linux C++ based application? I I was thinking of the following options: An apache module for SecurID (we're using Apache on the front-end) PAM Some combination of SecurID through Radius that I've heard about but don't understand ...
I am creating a graphical installer that should run on Linux. Installing should consist of copying files to some places in /usr. Currently the installer is written in Python. How can I escalate the privileges of my installer when I need to copy files? I looked at PolicyKit but a) there doesn't seem to be a generic "install files" acti...
Long story short, I'm developing an in-house report engine. It is entirely web based (utilising PHP and various AJAX techniques) and interprets data stored in a MySQL database by our production software. It runs on an Ubuntu 8.04 server, and all employees have a linux user account on that machine. I set up a login system using pam_auth t...
I've looked at the example script of python-pam and linux pam pages, but it's a bit confusing, at least for a beginner in PAM (that I am): http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_ADG.html http://packages.ubuntu.com/python-pam Is it possible to check if a user has or does not have access to login, without enteri...
Hi ! I would like to develop a web interface to allow users of a Linux system to do certain tasks related to their account. I decided to write the backend of the site using Python and mod_python on Apache. To authenticate the users, I thought I could use python_pam to query the PAM service. I adapted the example bundled with the module ...
I am using this module to authenticate using pam: http://code.google.com/p/web2py/source/browse/gluon/contrib/pam.py I can call authenticate('username','password') and it returns True/ False. It works for any 'username' but 'root'. My guess is that there is a security restriction in PAM that does not allow to check for the root password...
I am setting up an instance of vsftpd, but the user tables in my system are not just username/password, they also include the user's home directories. Can I set up vsftp to pick up the virtual user's home directory from MySql as well.. or are we strictly limited to authentication? ...
Are there any working packages to change a linux user passwords using PHP? I've tried using PECL:PAM but theres an error when it tries to change the password. Edit: PHP code: echo pam_chpass($username, $password, $new_pass, &$error) ? 'good' : $error; PHP (echo) output: Permission denied (in pam_authenticate) From /var/log/aut...
The following problem occurs on a machine running Ubuntu 10.04 with the 2.6.32-22-generic kernel: Setting a limit for the Resident Set Size (RSS) of a process does not seem to have any effect. I currently set the limit in Python with the following code: import resource # (100, 100) is the (soft, hard) limit. ~100kb. resource.setrlimit(r...
I do have a custom authentication mechanism which is written in Java. I was wondering what would be the best way to implement a Linux PAM module without rewriting the code in C? I am aware of this list of available PAM modules but none of them are Java-related. There's also JPam but it does the opposite thing: it allows to get user/gro...
I'm trying to write a PAM module. The PAM module creates a directory on first log in. Very similar to the pam_mkhomedir. Here is the code. PAM_EXTERN int pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval; const char *user; const struct passwd *pwd; struct stat St; ...
Given a username and password, I need to check if there's a user on the local system with said username and password. I'm aware of posix_getpwnam and using the PAM package, but both of these methods require that the PHP script have access to /etc/shadow. I'd rather not mess with permissions of system files or daemon users. I imagine th...
How to configure pam in linux such that the login id and password should not be same? ...
It appears that the best PAM module for ruby is "rpam". However this module hard codes the service name "rpam" when calling pam_start which seems to be denied by default on at least RHEL. I can get rpam to work by hacking the source to change the hardcoded service name to something present in /etc/pam.d. Do people normally reconfigure P...
I am trying to jail a user, not permitting it to access anything besides it's home directory. I have installed this Jailkit, and jailed a user named customer01 as it described at Jailkit's official site. Seems I got everything correct besides some PAM configurations. When trying to switch the user to customer01 by su customr01 and typin...
After a week of struggling to find out why some of our machines are Authenticating off of our LDAP servers and some are not I noticed that after PAM binds to see if the uid exists it then sends the users password. At the packet level, I can see that when I auth on the machines that are working that I see my password come through. When I ...