Re: 请教大家一下关于PAM的问题

[Jeff Cai <jeff cai oracle com>]

On Thu, 2010-11-25 at 15:34 +0800, Guannan Ma wrote:
> Hi, all,
> 最近才开始关注PAM验证方面的问题, 请大家帮忙解答下我的疑问.
> 先谢谢了 :)
> 
> 
> [1] 第一个问题是关于PAM 里面的session的
> 
> PAM里面的session管理主要提供了两个函数,pam_open_session
> pam_close_session
> 
> 我的疑问是, 我open session之后, 得到了什么样的环境. 在我执行过
> open_session之后? PAM为我做了什么?
> 在pam_open_session 和pam_close_session之间 我得到了什么特权? 或者说什
> 么样的特殊环境.
> 
你首先应该了解PAM framework是什么样的？
在solaris上，你可以man pam能看到对pam framework的说明。
我的理解是pam_open_session调用后，它通知session服务模块一个新的session开
始了。请注意，session的服务模块是可插入的，这意味着有系统的，也可能有你
自己编写的，或者其他第三方写的模块。如果你的程序不掉用它，这些模块将无从
知道一个新的session的开始。
与之对应，pam_close_session通知session服务模块这个session结束了。
用一个图来说明：

pam_open_session 你的程序
   pam_sm_open_session 模块1
   pam_sm_open_session 模块2
   ....
pam_close_session 你的程序
   pam_sm_close_session 模块1
   pam_sm_close_session 模块2
   
> 
> [2] 第二个问题关于PAM 里的设置credential
> 
> 我援引一下pam的函数介绍.
> 
> On a Linux system the user's UID and GID's are credentials too.
> However, it has been decided that these properties (along with the
> default supplementary groups of which the user is a member) are
> credentials that should be set directly by the application and not by
> PAM. Such credentials should be established, by the application, prior
> to a call to this function. For example, initgroups(2) (or equivalent)
> should have been performed.
> 
> 这句话, 也就是说我程序的组设置和uid设置, 是先于setcredential的. 那我设
> 置这个credential 有啥用处?我用它来做什么? 
> 
> 
> int pam_setcred(pamh,  
>  flags); 
> pam_handle_t *pamh;
> int flags;

这个和前面类似，允许服务模块来设置crediential。你不需要知道服务模块要干
什么。但是你需要调用这个接口。例如，如果某个模块发现证书过期，那么就会返
回错误。从而终止当前的session。

请注意PAM是个可扩展的framework，服务模块可以不断的添加，从而增加不同的安
全服务。

Jeff

>  
> 
> 3.1.8.1. DESCRIPTION
> 
> The pam_setcred function is used to establish, maintain and delete the
> credentials of a user. It should be called to set the credentials
> after a user has been authenticated and before a session is opened for
> the user (with pam_open_session(3)). The credentials should be deleted
> after the session has been closed (with pam_close_session(3)).
> 
> A credential is something that the user possesses. It is some
> property, such as a Kerberos ticket, or a supplementary group
> membership that make up the uniqueness of a given user. On a Linux
> system the user's UID and GID's are credentials too. However, it has
> been decided that these properties (along with the default
> supplementary groups of which the user is a member) are credentials
> that should be set directly by the application and not by PAM. Such
> credentials should be established, by the application, prior to a call
> to this function. For example, initgroups(2) (or equivalent) should
> have been performed.
> 
> 
> 
> PAM的文档搜索起来很费劲.. 大部分的实例都是关于auth方面的..  这个
> session方面的比较少.
> 请懂这方面的朋友给我示意下 这个session到底能做些什么?
> 
> 我现在在做C/S server端的开发.. 想引入pam做用户管理 最近在想这个用户对
> 话的保存, 不知道pam是否能满足条件.
> 
> 
> 再次致谢.
> 
> --
> Regards,
> Guannan
> 
> _______________________________________________
> gnome-cn-list mailing list
> gnome-cn-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-cn-list