1PAM::FAQ(3)           User Contributed Perl Documentation          PAM::FAQ(3)
2
3
4

NAME

6       Authen::PAM::FAQ - Frequently-Asked Questions about Authen::PAM.
7

SYNOPSIS

9       perldoc Authen::PAM::FAQ
10

VERSION

12       This document is currently at version 0.05, as of May 4, 2005
13

DESCRIPTION

15   1. Can I authenticate a user non interactively?
16       Yes, you can although not in a very clean way. The PAM library has a
17       mechanism, in a form of a conversation function, to send and receive
18       text data from the user. For details of the format of the conversation
19       function consult the Authen::PAM manual.  This function receives a list
20       of code/string pairs. There are two codes (PAM_TEXT_INFO and
21       PAM_ERROR_MSG) for displaying the associated string to the user and two
22       codes (PAM_ECHO_ON and PAM_ECHO_OFF) for getting input from the user.
23       As you can see the codes are rather general and you can not be
24       completely sure when you are asked for a user name and when for a
25       password. However, the common practice is that PAM_ECHO_ON is used for
26       a user name and PAM_ECHO_OFF is used for a password. So, what you can
27       do is to write your own conversation function which ignores the
28       PAM_TEXT_INFO and PAM_ERROR_MSG codes and returns the user name for the
29       code PAM_ECHO_ON and the password for the code PAM_ECHO_OFF. If you
30       pass the user name in the initialization function then usually you will
31       not be asked for it. Here is a simple example how to do this:
32
33         use Authen::PAM;
34         use POSIX qw(ttyname);
35
36         $service = "login";
37         $username = "foo";
38         $password = "bar";
39         $tty_name = ttyname(fileno(STDIN));
40
41         sub my_conv_func {
42           my @res;
43           while ( @_ ) {
44               my $code = shift;
45               my $msg = shift;
46               my $ans = "";
47
48               $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
49               $ans = $password if ($code == PAM_PROMPT_ECHO_OFF() );
50
51               push @res, (PAM_SUCCESS(),$ans);
52           }
53           push @res, PAM_SUCCESS();
54           return @res;
55         }
56
57         ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
58                die "Error code $pamh during PAM init!";
59
60         $res = $pamh->pam_set_item(PAM_TTY(), $tty_name);
61         $res = $pamh->pam_authenticate;
62         print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();
63
64       The Authen::PAM module comes with a default conversation function which
65       you can find in the file PAM.pm.
66
67   2. Can I change a password non interactively?
68       All the discussion of the previous question also applies here.  There
69       is however one serious complication. When changing a password it is
70       quite possible that the PAM library will send you at lest two
71       PAM_ECHO_OFF prompts - one for the old password and one or two for the
72       new one. Therefore, the first thing you should do is to see what
73       sequence of prompts is produced by your service. Then the conversation
74       function should include some state variable to distinguish the
75       different prompts. Here is an example:
76
77         use Authen::PAM;
78
79         $service = "passwd";
80         $username = "foo";
81         $oldpassword = "old_pass";
82         $newpassword = "new_pass";
83
84         sub my_conv_func {
85           my @res;
86           while ( @_ ) {
87               my $code = shift;
88               my $msg = shift;
89               my $ans = "";
90
91               $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
92               if ($code == PAM_PROMPT_ECHO_OFF() ) {
93                 $ans = $oldpassword if ($state == 0);
94                 $ans = $newpassword if ($state == 1);
95                 $ans = $newpassword if ($state == 2);
96
97                 $state++;
98               }
99
100               push @res, (PAM_SUCCESS(),$ans);
101           }
102           push @res, PAM_SUCCESS();
103           return @res;
104         }
105
106         ref($pamh = new Authen::PAM($service, $username, \&my_conv_func)) ||
107                die "Error code $pamh during PAM init!";
108
109         $state = 0;
110         $res = $pamh->pam_chauthtok;
111         print $pamh->pam_strerror($res),"\n" unless $res == PAM_SUCCESS();
112
113       If you are running the script as root then most likely you will not be
114       prompted for an old password. In this case you can simply return the
115       new password at the ECHO_OFF prompt.
116
117       The $msg variable contains the text of the input prompt which you can
118       use for additional test or for debugging purposes, e.g.
119
120         if ($code == PAM_PROMPT_ECHO_OFF() ) {
121           if ($state>=1 || $msg=~/new/i) { # are we asked for a new password
122              $ans = $newpassword;
123           } else {
124              $ans = $oldpassword;
125           }
126           $state++;
127         }
128
129   3. Why are the constants PAM_AUTHTOK and PAM_OLDAUTHTOK not avaliable?
130       The PAM_AUTHTOK and PAM_OLDAUTHTOK items can be used to pass
131       authentication tokens (passwords) from one module to another. However,
132       they are avaliable only to PAM modules and not to PAM applicatinos. If
133       you have a special setup in which you really need to preset the
134       password from the application (e.g. using a radius server) then you can
135       use the pam_set_authtok module avaliable from
136       http://www.uni-hohenheim.de/~schaefer/linux/pam/pam_set_authtok.html
137       <http://www.uni-hohenheim.de/~schaefer/linux/pam/pam_set_authtok.html>.
138

SEE ALSO

140       Authen::PAM
141

AUTHOR

143       Nikolay Pelov <NIKIP at cpan.org>
144
146       Copyright (c) 1998-2005 Nikolay Pelov. All rights reserved. This file
147       is part of the Authen::PAM library. This library is free software; you
148       can redistribute it and/or modify it under the same terms as Perl
149       itself.
150
151
152
153perl v5.12.0                      2005-06-30                       PAM::FAQ(3)
Impressum