PDA

View Full Version : Re: NWlogin with pam_script (TID 3416680)



=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=
24-Sep-2013, 15:22
laurabuckley wrote:

> Perhaps post your question in the forums dedicated to SLED found here:
> https://forums.suse.com/forumdisplay.php?11-SLED-Configure-Administer
>
> You may get quicker results.

You might be right, though it is my impression that not too many people
follow the discussions in SLED. I'll cross post anyway.
Strictly speaking it was a question for OES as I have to do some
administrative tasks on my servers that require a Novell login done via
nwlogin as packed in novell-qtgui-cli. Thus the Novell Client that comes
with SLED is not installed.
Anyway, my problem is solved with using libpam-script-0.1.12 instead of
pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
commands within the user context instead of root.

Günther

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=
17-Oct-2013, 16:41
Günther Schwarz wrote:
> laurabuckley wrote:
>
>> Perhaps post your question in the forums dedicated to SLED found here:
>> https://forums.suse.com/forumdisplay.php?11-SLED-Configure-Administer
>>
>> You may get quicker results.

> Anyway, my problem is solved with using libpam-script-0.1.12 instead of
> pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
> commands within the user context instead of root.

It turn out I was too optimistic about this. It actually works as
described in TID 3416680 for a console login, but not for ssh. With ssh
I can't do the nwlogin within the auth part. Different environment for
ssh as compared to a local login?
As a workaround I can store the password within onauth somewhere and
read it back within onsessionopen, doing the nwlogin there. This seems
to be fine, but is kind of dirty. Any other suggestions?

Günther

mikewillis
17-Oct-2013, 17:11
Günther Schwarz wrote:[color=blue]
It turn out I was too optimistic about this. It actually works as
described in TID 3416680 for a console login, but not for ssh. With ssh
I can't do the nwlogin within the auth part. Different environment for
ssh as compared to a local login?


When you say you can't do nwlogin within the auth part, does that mean you added the relevant lines to /etc/pam.d/sshd but it doesn't work?

Something I've found helpful when debugging scripts being called by PAM modules is to add lines like

debugfile="/tmp/$(basename $0)";
> "${debugfile}";
env > "${debugfile}";
so I can see what various variables are being set to. (Obviously remember to remove that before production!)

I don't have any SLED 10 machines any more or anything to log in to with nwlogin myself.

On a tangential note I'm curious as to why the TID describes using pam_script which is not included in SLED rather than pam_exec which is included in SLED. I used to use pam_script to do some things at login because that was a solution I found via Google and I was completely ignorant of pam_exec. When I discovered pam_exec I switched to using that. I had to tweak my scripts a bit but it does what I wanted to do as well as pam_script did.

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=
18-Oct-2013, 15:40
mikewillis wrote:
>
> =?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;16959 Wrote:
>> Günther Schwarz wrote:[color=blue]
>> It turn out I was too optimistic about this. It actually works as
>> described in TID 3416680 for a console login, but not for ssh. With ssh
>> I can't do the nwlogin within the auth part. Different environment for
>> ssh as compared to a local login?
>>
>
> When you say you can't do nwlogin within the auth part, does that mean
> you added the relevant lines to /etc/pam.d/sshd but it doesn't work?
>
> Something I've found helpful when debugging scripts being called by PAM
> modules is to add lines like
>
> Code:
> --------------------
> debugfile="/tmp/$(basename $0)";
> > "${debugfile}";
> env > "${debugfile}";
> --------------------
>
> so I can see what various variables are being set to. (Obviously
> remember to remove that before production!)

Yes, that helped a lot: Actually it turn out that nwlogin does need the
HOME variable to be set. This is available upon login on a terminal but
not in the auth section of a ssh login. So an

export HOME=`/usr/bin/getent passwd $USER | /usr/bin/cut -d: -f6`

within the onauth script solved my problem. Thank you very much in indeed.

> On a tangential note I'm curious as to why the TID describes using
> pam_script which is not included in SLED rather than pam_exec which is
> included in SLED. I used to use pam_script to do some things at login
> because that was a solution I found via Google and I was completely
> ignorant of pam_exec. When I discovered pam_exec I switched to using
> that. I had to tweak my scripts a bit but it does what I wanted to do as
> well as pam_script did.

Maybe pam_exec is simply less known. I was also not aware of it, so
thanks for the hint. A quick first try shows that the scripts will
indeed need some tweaks as

auth optional pam_exec.so debug expose_authtok seteuid \
/etc/security/onauth

is not a plugin replacement for

auth optional pam_script.so expose=authtok

Günther