NWlogin with pam_script (TID 3416680)

Following the old TID 3416680 for SLED10 I'm trying to set up nwlogin
with pam_script: use PAM_AUTHTOK within /etc/security/onauth to assign
the password of the user doing a (ssh) login to the variable NWpassword
and then using nwlogin with the option --passenv.
Then in /etc/security/onsessionopen the eDirectory login scripts are
called with nwrunscripts.
The problem I have to make this work is that pam_script runs in the
context of root. That is after doing a ssh login as an eDirectory user
effectively root is logged in to the tree and all mapped drives are
owned by root rather than by the user. I did some tests with "su -"
within the scripts but this easily creates a loop as su itself calls
pam_script. So I wonder how to make this work.

Günther
Parents Reply
  • Günther Schwarz wrote:
    > laurabuckley wrote:
    >
    >> Perhaps post your question in the forums dedicated to SLED found here:
    >> https://forums.suse.com/forumdisplay.php?11-SLED-Configure-Administer
    >>
    >> You may get quicker results.


    > Anyway, my problem is solved with using libpam-script-0.1.12 instead of
    > pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
    > commands within the user context instead of root.


    It turn out I was too optimistic about this. It actually works as
    described in TID 3416680 for a console login, but not for ssh. With ssh
    I can't do the nwlogin within the auth part. Different environment for
    ssh as compared to a local login?
    As a workaround I can store the password within onauth somewhere and
    read it back within onsessionopen, doing the nwlogin there. This seems
    to be fine, but is kind of dirty. Any other suggestions?

    Günther

Children
No Data