NWlogin with pam_script (TID 3416680)

Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
the password of the user doing a (ssh) login to the variable NWpassword
and then using nwlogin with the option --passenv.
Then in /etc/security/onsessionopen the eDirectory login scripts are
called with nwrunscripts.
The problem I have to make this work is that pam_script runs in the
context of root. That is after doing a ssh login as an eDirectory user
effectively root is logged in to the tree and all mapped drives are
owned by root rather than by the user. I did some tests with "su -"
within the scripts but this easily creates a loop as su itself calls
pam_script. So I wonder how to make this work.

Günther
Parents
  • Günther Schwarz wrote:
    > Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
    > with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
    > the password of the user doing a (ssh) login to the variable NWpassword
    > and then using nwlogin with the option --passenv.
    > Then in /etc/security/onsessionopen the eDirectory login scripts are
    > called with nwrunscripts.
    > The problem I have to make this work is that pam_script runs in the
    > context of root. That is after doing a ssh login as an eDirectory user
    > effectively root is logged in to the tree and all mapped drives are
    > owned by root rather than by the user. I did some tests with "su -"
    > within the scripts but this easily creates a loop as su itself calls
    > pam_script. So I wonder how to make this work.


    OK, I gave up and went back to libpam-script-0.1.12 instead of
    pam-script-1.1.6. The older version runs within the user's context by
    default and thus does indeed work as described in in TID 3416680.
    Unfortunately an option "runas" which is readily available in version
    0.1.12 is missing in 1.1.6.
    If anybody wants to verify this: use "expose=authtok" within the auth
    part of pam in version 0.1.12 instead of "expose=1" for version 0.1.10
    which is used in the TID. Otherwise they seem to behave much the same.

    Günther

  • Hi Gunther,

    Perhaps post your question in the forums dedicated to SLED found here: https://forums.suse.com/forumdisplay.php?11-SLED-Configure-Administer

    You may get quicker results.

    Cheers,
  • laurabuckley wrote:

    > Perhaps post your question in the forums dedicated to SLED found here:
    > https://forums.suse.com/forumdisplay.php?11-SLED-Configure-Administer
    >
    > You may get quicker results.


    You might be right, though it is my impression that not too many people
    follow the discussions in SLED. I'll cross post anyway.
    Strictly speaking it was a question for OES as I have to do some
    administrative tasks on my servers that require a Novell login done via
    nwlogin as packed in novell-qtgui-cli. Thus the Novell Client that comes
    with SLED is not installed.
    Anyway, my problem is solved with using libpam-script-0.1.12 instead of
    pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
    commands within the user context instead of root.

    Günther
  • Hi,

    I'm glad that you have it sorted. Thanks for posting back.

    Cheers,
Reply Children
No Data