Bug 4563 - Write an "interactive" PAM authentication tool
Summary: Write an "interactive" PAM authentication tool
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Misc (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Enhancement
Target Milestone: 4.1.0
Assignee: Peter Åstrand
Keywords: hean01_tester
Depends on:
Blocks: 4132
  Show dependency treegraph
Reported: 2013-03-25 11:15 CET by Peter Åstrand
Modified: 2013-05-07 14:14 CEST (History)
0 users

See Also:
Acceptance Criteria:


Description Peter Åstrand cendio 2013-03-25 11:15:05 CET
tlwebaccess needs to authenticate users using PAM, just like sshd. To do this, we need a helper binary which talks to PAM, presents prompts etc. lsh-pam-checkpw cannot be used, since it does not support OTP, and is not interactive in any other way. tl-pam-passwd is only for password changes, and suffers from bad design. 

Instead of writing a tool from scratch though, we could consider using http://pamtester.sourceforge.net/. It seems to do what we need. It hasn't been updated in several years, but is packaged in Fedora, EPEL, and OpenSuse.
Comment 1 Peter Åstrand cendio 2013-03-25 13:53:01 CET
Shipping pamtester in 26854.
Comment 2 Peter Åstrand cendio 2013-03-26 08:34:05 CET
For reference, an alternative approach would have been to call PAM directly from Python. There are a few options here:

* http://ace-host.stuart.id.au/russell/files/pam_python/, requires .so files, thus we cannot use it. 

* http://atlee.ca/software/pam/ is a pure Python implementation, using "ctypes" for opening libc, libpam etc. 

However, with all these solutions, I'm afraid that SELinux (today or tomorrow) will prevent correct PAM behaviour, since /usr/bin/python might not have the correct context etc. After all, we will need to read /etc/pam.d/sshd. A separate binary allows us, if necessary, to set the context to exactly what /usr/sbin/sshd uses.
Comment 3 Henrik Andersson cendio 2013-05-07 14:14:50 CEST
Tested pamtester alot when testing OTP on bug #4561, verified functionality by installing ThinLinc build 3937 on CentOS which have selinux enabled by default and the HTML5 client works out of the box with pam_prompt.so and no trace of failures in the logs.

Note You need to log in before you can comment on or make changes to this bug.