Bugzilla – Bug 4563
Write an "interactive" PAM authentication tool
Last modified: 2013-05-07 14:14:50
You need to
before you can comment on or make changes to this bug.
tlwebaccess needs to authenticate users using PAM, just like sshd. To do this,
we need a helper binary which talks to PAM, presents prompts etc.
lsh-pam-checkpw cannot be used, since it does not support OTP, and is not
interactive in any other way. tl-pam-passwd is only for password changes, and
suffers from bad design.
Instead of writing a tool from scratch though, we could consider using
http://pamtester.sourceforge.net/. It seems to do what we need. It hasn't been
updated in several years, but is packaged in Fedora, EPEL, and OpenSuse.
Shipping pamtester in 26854.
For reference, an alternative approach would have been to call PAM directly
from Python. There are a few options here:
* http://ace-host.stuart.id.au/russell/files/pam_python/, requires .so files,
thus we cannot use it.
* http://atlee.ca/software/pam/ is a pure Python implementation, using "ctypes"
for opening libc, libpam etc.
However, with all these solutions, I'm afraid that SELinux (today or tomorrow)
will prevent correct PAM behaviour, since /usr/bin/python might not have the
correct context etc. After all, we will need to read /etc/pam.d/sshd. A
separate binary allows us, if necessary, to set the context to exactly what
Tested pamtester alot when testing OTP on bug #4561, verified functionality by
installing ThinLinc build 3937 on CentOS which have selinux enabled by default
and the HTML5 client works out of the box with pam_prompt.so and no trace of
failures in the logs.