> Using PAM is definitively not the reason why your process must be run
as root. What exactly are you doing?
Well, I started fiddling around with pam, and found that when running it as
user the only one I could authenticate was the user the process ran with.
Then I asked about that on the pam mailinglist, and somebody told me that
root rights are necessary.
PAM is not very well documented - if you can point me into the right
direction how to make it work for a normal user, and maybe even have some
meta-data attached to a user (e.g. grouplist), your very welcome!
The following script is authenticating every user if run as root. The
service "claros" is defined like this:
auth required pam_unix.so
account required pam_access.so
Here comes the script.
import PAM
def authenticate(user, password):
class AuthConv:
def __init__(_, password):
_.password = password
def __call__(_, auth, query_list, userData):
print "AuthConv called, pwd: %s" % _.password
resp = []
for query, qt in query_list:
if qt == PAM.PAM_PROMPT_ECHO_ON:
resp.append((_.password, 0))
elif qt == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((_.password, 0))
elif qt == PAM.PAM_PROMPT_ERROR_MSG or type ==
PAM.PAM_PROMPT_TEXT_INFO:
print query
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start("claros")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, AuthConv(password))
try:
auth.authenticate()
auth.acct_mgmt()
print "Authentication successful"
except PAM.error, resp:
print 'Go away, %s! (%s)' % (user, resp)
raise
authenticate("user", "pwd")
--
Regards,
Diez B. Roggisch
