NWlogin with pam_script (TID 3416680)

Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
the password of the user doing a (ssh) login to the variable NWpassword
and then using nwlogin with the option --passenv.
Then in /etc/security/onsessionopen the eDirectory login scripts are
called with nwrunscripts.
The problem I have to make this work is that pam_script runs in the
context of root. That is after doing a ssh login as an eDirectory user
effectively root is logged in to the tree and all mapped drives are
owned by root rather than by the user. I did some tests with "su -"
within the scripts but this easily creates a loop as su itself calls
pam_script. So I wonder how to make this work.

Günther
Parents
  • Günther Schwarz wrote:
    > Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
    > with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
    > the password of the user doing a (ssh) login to the variable NWpassword
    > and then using nwlogin with the option --passenv.
    > Then in /etc/security/onsessionopen the eDirectory login scripts are
    > called with nwrunscripts.
    > The problem I have to make this work is that pam_script runs in the
    > context of root. That is after doing a ssh login as an eDirectory user
    > effectively root is logged in to the tree and all mapped drives are
    > owned by root rather than by the user. I did some tests with "su -"
    > within the scripts but this easily creates a loop as su itself calls
    > pam_script. So I wonder how to make this work.


    OK, I gave up and went back to libpam-script-0.1.12 instead of
    pam-script-1.1.6. The older version runs within the user's context by
    default and thus does indeed work as described in in TID 3416680.
    Unfortunately an option "runas" which is readily available in version
    0.1.12 is missing in 1.1.6.
    If anybody wants to verify this: use "expose=authtok" within the auth
    part of pam in version 0.1.12 instead of "expose=1" for version 0.1.10
    which is used in the TID. Otherwise they seem to behave much the same.

    Günther

Reply
  • Günther Schwarz wrote:
    > Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
    > with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
    > the password of the user doing a (ssh) login to the variable NWpassword
    > and then using nwlogin with the option --passenv.
    > Then in /etc/security/onsessionopen the eDirectory login scripts are
    > called with nwrunscripts.
    > The problem I have to make this work is that pam_script runs in the
    > context of root. That is after doing a ssh login as an eDirectory user
    > effectively root is logged in to the tree and all mapped drives are
    > owned by root rather than by the user. I did some tests with "su -"
    > within the scripts but this easily creates a loop as su itself calls
    > pam_script. So I wonder how to make this work.


    OK, I gave up and went back to libpam-script-0.1.12 instead of
    pam-script-1.1.6. The older version runs within the user's context by
    default and thus does indeed work as described in in TID 3416680.
    Unfortunately an option "runas" which is readily available in version
    0.1.12 is missing in 1.1.6.
    If anybody wants to verify this: use "expose=authtok" within the auth
    part of pam in version 0.1.12 instead of "expose=1" for version 0.1.10
    which is used in the TID. Otherwise they seem to behave much the same.

    Günther

Children