Christian Hesse <[email protected]> writes: > Christian Hesse <[email protected]> on Sun, 2011/05/01 17:14: >> > How does xscreensaver/pam_unix solve this for e.g. /etc/shadow? >> >> I took a deeper look at pam_unix and unix_chkpwd. pam_unix always calls >> unix_chkpwd via execev() to authenticate the user. >> I'm not sure I could implement this for pam_oath... Is anybody willing to do >> this? I will take a deeper look if I have some spare time. > > Nothing happened to make pam_oath work with xscreensaver and the like > (non-root services), no?
Not that I recall. > Ok, some thoughts on that... pam_oath.so should not link to liboath.so but > call a little helper program. The latter is linked against liboath.so and set > uid root to access the usersfile. > Is that the correct way or do we need to do it different? Yes, that sounds like a possible way forward. I don't like setuid binaries though. A daemon approach may be safer, but that is more complex and doesn't work if the daemon isn't always running. If you want to work on a setuid helper that would be very nice. It could be used when some PAM configuration token is present, right? /Simon
