Jason Gerfen wrote:
> I just have a few questions, comments & suggestions regarding the
> pam_fprint module.
>
> After taking a brief look through the pam_fprint.c source I do not see
> anything in regards to uid/gid mapping for the valid authentication
> based on the image of a scanned fingerprint.
Sorry for being thick, but what exactly do you mean by uid/gid mapping
and why is it useful?
Existing system doesn't have any problems identifying the user. PAM
identifies which user is trying to log in.
> Is this something that you intend to keep? From a Unix/Linux standpoint
> I can see how this might somewhat limit the security of the
> authentication process unless you rely on something such as pam_unix
> within your authentication stack.
> First I would like to propose the including of a simple getpw to assist
> in the authentication of enrolled finger print authenticated users (I
> can see the use of a getpwnam call but suggest further mapping of user
> accounts to enrolled fingerprint users. Might also help with homedir
> hack you have implemented because you could initialize it from the local
> account *OR when I am finished from a struct provided by OpenLDAP/Active
> Directory or MySQL entries).
>
> Something utilizing getpwuid:
> ** Example ripped from the pam_krb5afs.c source
> #ifdef HAVE___POSIX_GETPWNAM_R
> /* Function for determining a user's UID and primary GID. Solaris
> version. */
> /* Currently not used. We define instead the _POSIX_PTHREAD_SEMANTICS
> macro */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
> static struct passwd rec;
> struct passwd *pwd = NULL;
> char buf[LINE_MAX];
> memset(&rec, 0, sizeof(rec));
> if (__posix_getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
> if (pwd == &rec) {
> *uid = pwd->pw_uid;
> *gid = pwd->pw_gid;
> return TRUE;
> }
> }
> return FALSE;
> }
> #elif HAVE_GETPWNAM_R
> /* Function for determining a user's UID and primary GID. glibc and most
> * other systems version. */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
> static struct passwd rec;
> struct passwd *pwd = NULL;
> static char buf[LINE_MAX];
> memset(&rec, 0, sizeof(rec));
> if (getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
> if (pwd == &rec) {
> *uid = pwd->pw_uid;
> *gid = pwd->pw_gid;
> return TRUE;
> }
> }
> return FALSE;
> }
> #else
> /* Really-old systems version. */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
> struct passwd *pwd;
> pwd = getpwnam(user);
> if (pwd != NULL) {
> *uid = pwd->pw_uid;
> *gid = pwd->pw_gid;
> return TRUE;
> }
> return FALSE;
> }
> #endif
>
> Second I have spoken with you before in regards to adding support for
> OpenLDAP/Active Directory (RFC2307) as well as MySQL support for
> centralized authentication. I believe I am now ready to begin adding
> this support into the existing pam_fprint module, and need to know how
> updated the API documentation is.
>
> Third, after doing some investigation of Active Directory it is possible
> to implement a photo binary schema attribute for all users following the
> guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here.
> For OpenLDAP I have found the following:
> http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2
> x-my-Photo)
>
> And an RFC regarding this schema attribute:
> http://www.rfc-editor.org/rfc/rfc2798.txt
>
> MySQL has the blob field type to handle binary data such as photo's. One
> thing I would like to do with this is to ensure we have 'all' account
> data available so local accounts on a Unix/Linux system is not needed.
> Much like a roaming profile, an example of a MySQL database table to
> manage this would be something like:
>
> CREATE TABLE IF NOT EXISTS `fprint_users` (
> `id` int(255) NOT NULL auto_increment,
> `username` varchar(255) NOT NULL,
> `enrolled_fprint` blob NOT NULL,
> `uid` int(255) NOT NULL,
> `gid` int(255) NOT NULL,
> `shell` varchar(80) NOT NULL,
> `homedir` varchar(80) NOT NULL,
> `time` time NOT NULL,
> `date` date NOT NULL,
> PRIMARY KEY (`id`)
> ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
>
> And for OpenLDAP/Active Directory the following schema attributes are
> available for our use in a centralized authentication addition to your
> pam_fprint module:
>
> cn (common name, username attribute)
> jpegPhoto (enrolled fingerprint as per RFC2798)
> gidNumber (GID for Unix/Linux users as per Active Directory. OpenLDAP
> has this schema attribute by default)
> uidNumber (UID for Unix/Linux users as per Active Directory. OpenLDAP
> has this schema attribute by default)
> loginShell (shell attribute)
> homeDirectory (as per Active Directory)
> mSSFUHomeDirectory (as per SFU Active Directory extension defined in
> RFC2307 for Unix/Linux users. Again, OpenLDAP has this schema attribute
> by default)
>
>
> In any event those are my questions, comments, suggestions and plans
> unless you have something better in mind.
>
_______________________________________________
fprint mailing list
[email protected]
http://lists.reactivated.net/mailman/listinfo/fprint
