www.cendio.com
Bug 4563 - Write an "interactive" PAM authentication tool
: Write an "interactive" PAM authentication tool
Status: CLOSED FIXED
: ThinLinc
Misc
: trunk
: PC Unknown
: P2 Enhancement
: 4.1.0
Assigned To:
:
:
:
: 4132
  Show dependency treegraph
 
Reported: 2013-03-25 11:15 by
Modified: 2013-05-07 14:14 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-03-25 11:15:05
tlwebaccess needs to authenticate users using PAM, just like sshd. To do this,
we need a helper binary which talks to PAM, presents prompts etc.
lsh-pam-checkpw cannot be used, since it does not support OTP, and is not
interactive in any other way. tl-pam-passwd is only for password changes, and
suffers from bad design. 

Instead of writing a tool from scratch though, we could consider using
http://pamtester.sourceforge.net/. It seems to do what we need. It hasn't been
updated in several years, but is packaged in Fedora, EPEL, and OpenSuse.
------- Comment #1 From cendio 2013-03-25 13:53:01 -------
Shipping pamtester in 26854.
------- Comment #2 From cendio 2013-03-26 08:34:05 -------
For reference, an alternative approach would have been to call PAM directly
from Python. There are a few options here:

* http://ace-host.stuart.id.au/russell/files/pam_python/, requires .so files,
thus we cannot use it. 

* http://atlee.ca/software/pam/ is a pure Python implementation, using "ctypes"
for opening libc, libpam etc. 

However, with all these solutions, I'm afraid that SELinux (today or tomorrow)
will prevent correct PAM behaviour, since /usr/bin/python might not have the
correct context etc. After all, we will need to read /etc/pam.d/sshd. A
separate binary allows us, if necessary, to set the context to exactly what
/usr/sbin/sshd uses.
------- Comment #3 From cendio 2013-05-07 14:14:50 -------
Tested pamtester alot when testing OTP on bug #4561, verified functionality by
installing ThinLinc build 3937 on CentOS which have selinux enabled by default
and the HTML5 client works out of the box with pam_prompt.so and no trace of
failures in the logs.