Hi, On 02/25/2011 09:13 AM, Martin Koegler wrote: > tigervnc currently only uses the auth section - account, session and > password are ignored. > > Xvnc simply passes username& password to pam and waits for the > result. I have tested it for example with the pam_krb5 module > successfully. > > The problem is, that some pam modules react differently, if they are > invoked by root or a normal user. > > The debian pam_unix eg. let normal users only verify their own > password and fails on any other user name. Other modules like pam_krb5, > (also pam_ldap?) allow a normal user to verify the password of any user. > > I would check, if your pam_radius_auth has any config/data file, which > are only root accessible. If that is the case, it will probably only > work, if Xvnc runs as root [or gets otherwise access to these files]. > > Regards, > Martin Kögler Thank you! I just tried it on Gentoo which has more verbose logging and at indeed turned out that the problem was the read permissions of the radius configuration file. Setting this to world-readable makes it possible to log in.
Unfortunately, the radius configuration file contains a sectret string to authenticate against the Radius server, so it should not be world readable. I was actually under the impression that PAM is a query-service run as root: how else can a user be capable of obtaining root privellages by using su? Apparantly it works differently. Anyway, is there any way to make a construction to authenticate against a module with root-only readable configuration file as a normal user? (different than inetd/xdm, which does not have the features I need for this group of users). Sincerely, Sebastiaan ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
