libauthen-pam-perl 0.16-2build2 / usr / lib / perl5 / Authen / PAM / FAQ.pod

This file is indexed.

/usr/lib/perl5/Authen/PAM/FAQ.pod is in libauthen-pam-perl 0.16-2build2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
=head1 NAME

Authen::PAM::FAQ - Frequently-Asked Questions about Authen::PAM.

=head1 SYNOPSIS

perldoc Authen::PAM::FAQ

=head1 VERSION

This document is currently at version I<0.05>, as of I<May 4, 2005>

=head1 DESCRIPTION

=head2 1. Can I authenticate a user non interactively?

Yes, you can although not in a very clean way. The PAM library
has a mechanism, in a form of a conversation function, to send and
receive text data from the user. For details of the format of the
conversation function consult the Authen::PAM manual.  This function
receives a list of code/string pairs. There are two codes
(PAM_TEXT_INFO and PAM_ERROR_MSG) for displaying the associated string
to the user and two codes (PAM_ECHO_ON and PAM_ECHO_OFF) for getting
input from the user. As you can see the codes are rather general and
you can not be completely sure when you are asked for a user name and
when for a password. However, the common practice is that PAM_ECHO_ON
is used for a user name and PAM_ECHO_OFF is used for a password. So,
what you can do is to write your own conversation function which
ignores the PAM_TEXT_INFO and PAM_ERROR_MSG codes and returns the
user name for the code PAM_ECHO_ON and the password for the code
PAM_ECHO_OFF. If you pass the user name in the initialization function
then usually you will not be asked for it. Here is a simple example
how to do this:

  use Authen::PAM;
  use POSIX qw(ttyname);

  $service = "login";
  $username = "foo";
  $password = "bar";
  $tty_name = ttyname(fileno(STDIN));

  sub my_conv_func {
    my @res;
    while ( @_ ) {
        my $code = shift;
        my $msg = shift;
        my $ans = "";

	$ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
	$ans = $password if ($code == PAM_PROMPT_ECHO_OFF() );

        push @res, (PAM_SUCCESS(),$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
  }

  ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
	 die "Error code $pamh during PAM init!";

  $res = $pamh->pam_set_item(PAM_TTY(), $tty_name);
  $res = $pamh->pam_authenticate;
  print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();


The Authen::PAM module comes with a default conversation function
which you can find in the file F<PAM.pm>.

=head2 2. Can I change a password non interactively?

All the discussion of the previous question also applies here.  There
is however one serious complication. When changing a password it is
quite possible that the PAM library will send you at lest two
PAM_ECHO_OFF prompts - one for the old password and one or two for the
new one. Therefore, the first thing you should do is to see what
sequence of prompts is produced by your service. Then the conversation
function should include some state variable to distinguish the
different prompts. Here is an example:


  use Authen::PAM;

  $service = "passwd";
  $username = "foo";
  $oldpassword = "old_pass";
  $newpassword = "new_pass";

  sub my_conv_func {
    my @res;
    while ( @_ ) {
        my $code = shift;
        my $msg = shift;
        my $ans = "";

	$ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
	if ($code == PAM_PROMPT_ECHO_OFF() ) {
	  $ans = $oldpassword if ($state == 0);
	  $ans = $newpassword if ($state == 1);
	  $ans = $newpassword if ($state == 2);

	  $state++;
        }

        push @res, (PAM_SUCCESS(),$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
  }

  ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
	 die "Error code $pamh during PAM init!";

  $state = 0;
  $res = $pamh->pam_chauthtok;
  print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();

If you are running the script as root then most likely you will not be
prompted for an old password. In this case you can simply return the
new password at the ECHO_OFF prompt. 

The $msg variable contains the text of the input prompt which you can
use for additional test or for debugging purposes, e.g.

  if ($code == PAM_PROMPT_ECHO_OFF() ) {
    if ($state>=1 || $msg=~/new/i) { # are we asked for a new password
       $ans = $newpassword;
    } else {
       $ans = $oldpassword;
    }
    $state++;
  }


=head2 3. Why are the constants PAM_AUTHTOK and PAM_OLDAUTHTOK not avaliable?

The PAM_AUTHTOK and PAM_OLDAUTHTOK items can be used to pass
authentication tokens (passwords) from one module to another. However,
they are avaliable only to PAM modules and not to PAM applicatinos. If
you have a special setup in which you really need to preset the
password from the application (e.g. using a radius server) then you
can use the pam_set_authtok module avaliable from
L<http://www.uni-hohenheim.de/~schaefer/linux/pam/pam_set_authtok.html>.


=head1 SEE ALSO

L<Authen::PAM>

=head1 AUTHOR

Nikolay Pelov <NIKIP at cpan.org>

=head1 COPYRIGHT

Copyright (c) 1998-2005 Nikolay Pelov. All rights reserved. This file
is part of the Authen::PAM library. This library is free software; you
can redistribute it and/or modify it under the same terms as Perl
itself.

=cut

APT Browse - Built by Thomas Orozco.