PAM and NT'ed Linux ..

[William M. Perry]

Luke Kenneth Casson Leighton <lkcl at regent.push.net> writes:

> > The pam notion of who is being authenticated is contained in the
> > PAM_USER item.  How this item is filled is something a module has a
> > lot of control over.  The default is for the application to supply
> > this value when you call pam_start, or for a module to make use of the
> > PAM_PROMPT item and call pam_get_user().  Alternatively, if your
> > module wants to explicitly prompt for:
> > 
> > 	login: me
> > 	domain [default=here]: there
> 
> oo!  excellent idea!
> 
> > 	password: XXXX
> > 
> > and then translate the me/there combination into a local (UNIX)
> > username with the appropriate credentials, it can.  All it does is
> > pam_set_item(..PAM_USER...) with the appropriate UNIX username.  It
> 
> that's exactly what we needed to know.
> 
> > With "correctly" PAMified applications, this will likely "just work".
> > You may have problems with things like ftpd and popd whose protocols
> > are so restrictive that they don't support arbitrary user prompting...
> 
> then would the username format of \DOMAIN\user (or DOMAIN/user) suffice
> in this instance?  are you saying that arbitrary user prompting means
> "give me a username and a password and nothing else"?

  No - arbitrary user prompting is the case where you give separate prompts 
for username, domain, and password, and potentially go through the
rigamarole of changing the user's password if it has expired.

  This is why I have to have two different PAM modules for our server - one 
that fits into the old username/password only module, and one which is much 
more generic challenge/response and so can support any # of prompts to the
user.

  The PAM apache module would suffer from the same drawbacks as pop and ftp
as well.

-Bill P.