Mini Shell
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 6. Porting legacy applications</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_ADG.html" title="The Linux-PAM Application Developers' Guide"><link rel="up" href="Linux-PAM_ADG.html" title="The Linux-PAM Application Developers' Guide"><link rel="prev" href="adg-libpam-functions.html" title="5.1. Functions supplied"><link rel="next" href="adg-glossary.html" title="Chapter 7. Glossary of PAM related terms"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Porting legacy applications</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="adg-libpam-functions.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="adg-glossary.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="adg-porting"></a>Chapter 6. Porting legacy applications</h1></div></div></div><p>
The point of PAM is that the application is not supposed to
have any idea how the attached authentication modules will choose
to authenticate the user. So all they can do is provide a conversation
function that will talk directly to the user(client) on the modules'
behalf.
</p><p>
Consider the case that you plug a retinal scanner into the login
program. In this situation the user would be prompted: "please look
into the scanner". No username or password would be needed - all this
information could be deduced from the scan and a database lookup. The
point is that the retinal scanner is an ideal task for a "module".
</p><p>
While it is true that a pop-daemon program is designed with the POP
protocol in mind and no-one ever considered attaching a retinal
scanner to it, it is also the case that the "clean" PAM'ification of
such a daemon would allow for the possibility of a scanner module
being be attached to it. The point being that the "standard"
pop-authentication protocol(s) [which will be needed to satisfy
inflexible/legacy clients] would be supported by inserting an
appropriate pam_qpopper module(s). However, having rewritten
<span class="command"><strong>popd</strong></span> once in this way any new protocols can be
implemented in-situ.
</p><p>
One simple test of a ported application would be to insert the
<span class="command"><strong>pam_permit</strong></span> module and see if the application
demands you type a password... In such a case, <span class="command"><strong>xlock</strong></span>
would fail to lock the terminal - or would at best be a screen-saver,
ftp would give password free access to all etc.. Neither of
these is a very secure thing to do, but they do illustrate how
much flexibility PAM puts in the hands of the local admin.
</p><p>
The key issue, in doing things correctly, is identifying what is part
of the authentication procedure (how many passwords etc..) the
exchange protocol (prefixes to prompts etc., numbers like 331 in the
case of ftpd) and what is part of the service that the application
delivers. PAM really needs to have total control in the
authentication "procedure", the conversation function should only
deal with reformatting user prompts and extracting responses from raw
input.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="adg-libpam-functions.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="adg-glossary.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">5.1. Functions supplied </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_ADG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Glossary of PAM related terms</td></tr></table></div></body></html>
Zerion Mini Shell 1.0