Re: =?UTF-8?Q?=E8=AF=B7=E6=95=99=E5=A4=A7=E5=AE=B6=E4=B8=80=E4=B8=8B?= =?UTF-8?Q?=E5=85=B3=E4=BA=8EPAM=E7=9A=84=E9=97=AE=E9=A2=98?=
- From: Jeff Cai <jeff cai oracle com>
- To: Guannan Ma <mythmgn gmail com>
- Cc: gnome-cn-list gnome org
- Subject: Re: 请教大家一下关于PAM的问题
- Date: Thu, 25 Nov 2010 17:23:10 +0800
On Thu, 2010-11-25 at 15:34 +0800, Guannan Ma wrote:
> Hi, all,
> 最近才开始关注PAM验证方面的问题, 请大家帮忙解答下我的疑问.
> 先谢谢了 :)
>
>
> [1] 第一个问题是关于PAM 里面的session的
>
> PAM里面的session管理主要提供了两个函数,pam_open_session
> pam_close_session
>
> 我的疑问是, 我open session之后, 得到了什么样的环境. 在我执行过
> open_session之后? PAM为我做了什么?
> 在pam_open_session 和pam_close_session之间 我得到了什么特权? 或者说什
> 么样的特殊环境.
>
你首先应该了解PAM framework是什么样的?
在solaris上,你可以man pam能看到对pam framework的说明。
我的理解是pam_open_session调用后,它通知session服务模块一个新的session开
始了。请注意,session的服务模块是可插入的,这意味着有系统的,也可能有你
自己编写的,或者其他第三方写的模块。如果你的程序不掉用它,这些模块将无从
知道一个新的session的开始。
与之对应,pam_close_session通知session服务模块这个session结束了。
用一个图来说明:
pam_open_session 你的程序
pam_sm_open_session 模块1
pam_sm_open_session 模块2
....
pam_close_session 你的程序
pam_sm_close_session 模块1
pam_sm_close_session 模块2
>
> [2] 第二个问题关于PAM 里的设置credential
>
> 我援引一下pam的函数介绍.
>
> On a Linux system the user's UID and GID's are credentials too.
> However, it has been decided that these properties (along with the
> default supplementary groups of which the user is a member) are
> credentials that should be set directly by the application and not by
> PAM. Such credentials should be established, by the application, prior
> to a call to this function. For example, initgroups(2) (or equivalent)
> should have been performed.
>
> 这句话, 也就是说我程序的组设置和uid设置, 是先于setcredential的. 那我设
> 置这个credential 有啥用处?我用它来做什么?
>
>
> int pam_setcred(pamh,
> flags);
> pam_handle_t *pamh;
> int flags;
这个和前面类似,允许服务模块来设置crediential。你不需要知道服务模块要干
什么。但是你需要调用这个接口。例如,如果某个模块发现证书过期,那么就会返
回错误。从而终止当前的session。
请注意PAM是个可扩展的framework,服务模块可以不断的添加,从而增加不同的安
全服务。
Jeff
>
>
> 3.1.8.1. DESCRIPTION
>
> The pam_setcred function is used to establish, maintain and delete the
> credentials of a user. It should be called to set the credentials
> after a user has been authenticated and before a session is opened for
> the user (with pam_open_session(3)). The credentials should be deleted
> after the session has been closed (with pam_close_session(3)).
>
> A credential is something that the user possesses. It is some
> property, such as a Kerberos ticket, or a supplementary group
> membership that make up the uniqueness of a given user. On a Linux
> system the user's UID and GID's are credentials too. However, it has
> been decided that these properties (along with the default
> supplementary groups of which the user is a member) are credentials
> that should be set directly by the application and not by PAM. Such
> credentials should be established, by the application, prior to a call
> to this function. For example, initgroups(2) (or equivalent) should
> have been performed.
>
>
>
> PAM的文档搜索起来很费劲.. 大部分的实例都是关于auth方面的.. 这个
> session方面的比较少.
> 请懂这方面的朋友给我示意下 这个session到底能做些什么?
>
> 我现在在做C/S server端的开发.. 想引入pam做用户管理 最近在想这个用户对
> 话的保存, 不知道pam是否能满足条件.
>
>
> 再次致谢.
>
> --
> Regards,
> Guannan
>
> _______________________________________________
> gnome-cn-list mailing list
> gnome-cn-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-cn-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]