I just have a few questions, comments & suggestions regarding the
pam_fprint module.
After taking a brief look through the pam_fprint.c source I do not see
anything in regards to uid/gid mapping for the valid authentication
based on the image of a scanned fingerprint.
Is this something that you intend to keep? From a Unix/Linux standpoint
I can see how this might somewhat limit the security of the
authentication process unless you rely on something such as pam_unix
within your authentication stack.
First I would like to propose the including of a simple getpw to assist
in the authentication of enrolled finger print authenticated users (I
can see the use of a getpwnam call but suggest further mapping of user
accounts to enrolled fingerprint users. Might also help with homedir
hack you have implemented because you could initialize it from the local
account *OR when I am finished from a struct provided by OpenLDAP/Active
Directory or MySQL entries).
Something utilizing getpwuid:
** Example ripped from the pam_krb5afs.c source
#ifdef HAVE___POSIX_GETPWNAM_R
/* Function for determining a user's UID and primary GID. Solaris
version. */
/* Currently not used. We define instead the _POSIX_PTHREAD_SEMANTICS
macro */
static int
get_pw(const char *user, uid_t *uid, gid_t *gid)
{
static struct passwd rec;
struct passwd *pwd = NULL;
char buf[LINE_MAX];
memset(&rec, 0, sizeof(rec));
if (__posix_getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
if (pwd == &rec) {
*uid = pwd->pw_uid;
*gid = pwd->pw_gid;
return TRUE;
}
}
return FALSE;
}
#elif HAVE_GETPWNAM_R
/* Function for determining a user's UID and primary GID. glibc and most
* other systems version. */
static int
get_pw(const char *user, uid_t *uid, gid_t *gid)
{
static struct passwd rec;
struct passwd *pwd = NULL;
static char buf[LINE_MAX];
memset(&rec, 0, sizeof(rec));
if (getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
if (pwd == &rec) {
*uid = pwd->pw_uid;
*gid = pwd->pw_gid;
return TRUE;
}
}
return FALSE;
}
#else
/* Really-old systems version. */
static int
get_pw(const char *user, uid_t *uid, gid_t *gid)
{
struct passwd *pwd;
pwd = getpwnam(user);
if (pwd != NULL) {
*uid = pwd->pw_uid;
*gid = pwd->pw_gid;
return TRUE;
}
return FALSE;
}
#endif
Second I have spoken with you before in regards to adding support for
OpenLDAP/Active Directory (RFC2307) as well as MySQL support for
centralized authentication. I believe I am now ready to begin adding
this support into the existing pam_fprint module, and need to know how
updated the API documentation is.
Third, after doing some investigation of Active Directory it is possible
to implement a photo binary schema attribute for all users following the
guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here.
For OpenLDAP I have found the following:
http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2
x-my-Photo)
And an RFC regarding this schema attribute:
http://www.rfc-editor.org/rfc/rfc2798.txt
MySQL has the blob field type to handle binary data such as photo's. One
thing I would like to do with this is to ensure we have 'all' account
data available so local accounts on a Unix/Linux system is not needed.
Much like a roaming profile, an example of a MySQL database table to
manage this would be something like:
CREATE TABLE IF NOT EXISTS `fprint_users` (
`id` int(255) NOT NULL auto_increment,
`username` varchar(255) NOT NULL,
`enrolled_fprint` blob NOT NULL,
`uid` int(255) NOT NULL,
`gid` int(255) NOT NULL,
`shell` varchar(80) NOT NULL,
`homedir` varchar(80) NOT NULL,
`time` time NOT NULL,
`date` date NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
And for OpenLDAP/Active Directory the following schema attributes are
available for our use in a centralized authentication addition to your
pam_fprint module:
cn (common name, username attribute)
jpegPhoto (enrolled fingerprint as per RFC2798)
gidNumber (GID for Unix/Linux users as per Active Directory. OpenLDAP
has this schema attribute by default)
uidNumber (UID for Unix/Linux users as per Active Directory. OpenLDAP
has this schema attribute by default)
loginShell (shell attribute)
homeDirectory (as per Active Directory)
mSSFUHomeDirectory (as per SFU Active Directory extension defined in
RFC2307 for Unix/Linux users. Again, OpenLDAP has this schema attribute
by default)
In any event those are my questions, comments, suggestions and plans
unless you have something better in mind.
--
Jason Gerfen
Systems Administration/Web application development
[EMAIL PROTECTED]
Marriott Library
Lab Systems PC
295 South 1500 East
Salt Lake City, Utah 84112-0806
Ext 5-9810
"Tomorrow isn't promised so we live for today"
_______________________________________________
fprint mailing list
[email protected]
http://lists.reactivated.net/mailman/listinfo/fprint
