mikewillis wrote:[color=blue]
>
> =?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;16959 Wrote:
>> Günther Schwarz wrote:
>> It turn out I was too optimistic about this. It actually works as
>> described in TID 3416680 for a console login, but not for ssh. With ssh
>> I can't do the nwlogin within the auth part. Different environment for
>> ssh as compared to a local login?
>>

>
> When you say you can't do nwlogin within the auth part, does that mean
> you added the relevant lines to /etc/pam.d/sshd but it doesn't work?
>
> Something I've found helpful when debugging scripts being called by PAM
> modules is to add lines like
>
> Code:
> --------------------
> debugfile="/tmp/$(basename $0)";
> > "${debugfile}";

> env > "${debugfile}";
> --------------------
>
> so I can see what various variables are being set to. (Obviously
> remember to remove that before production!)


Yes, that helped a lot: Actually it turn out that nwlogin does need the
HOME variable to be set. This is available upon login on a terminal but
not in the auth section of a ssh login. So an

export HOME=`/usr/bin/getent passwd $USER | /usr/bin/cut -d: -f6`

within the onauth script solved my problem. Thank you very much in indeed.

> On a tangential note I'm curious as to why the TID describes using
> pam_script which is not included in SLED rather than pam_exec which is
> included in SLED. I used to use pam_script to do some things at login
> because that was a solution I found via Google and I was completely
> ignorant of pam_exec. When I discovered pam_exec I switched to using
> that. I had to tweak my scripts a bit but it does what I wanted to do as
> well as pam_script did.


Maybe pam_exec is simply less known. I was also not aware of it, so
thanks for the hint. A quick first try shows that the scripts will
indeed need some tweaks as

auth optional pam_exec.so debug expose_authtok seteuid \
/etc/security/onauth

is not a plugin replacement for

auth optional pam_script.so expose=authtok

Günther