Re: 请教大家一下关于PAM的问题

[Jeff Cai <jeff cai oracle com>]

On Thu, 2010-11-25 at 16:29 +0800, Guannan Ma wrote:
> 或者谁给我个关于怎么维护 C客户端/S服务器端 会话的例子?

PAM应该不是CS结构的，实际上，他们在一个进程中。

这里有一个命令行的例子。

在solairs上，解开

$tar xvf pam.tar
$cd pam
$make
生成2个程序
test-pam: 命令行程序
pam-helper：在solaris上，需要是suid程序，在linux上不需要。这是一个PAM接
口程序。

test-pam和pam-helper通过管道通信。

复杂的例子，请参考gnome-screensaver.

Jeff

> 
> 谢谢
> 
> 2010/11/25 Guannan Ma <mythmgn gmail com>
>         Hi, all,
>         最近才开始关注PAM验证方面的问题, 请大家帮忙解答下我的疑问.
>         先谢谢了 :)
>         
>         
>         [1] 第一个问题是关于PAM 里面的session的
>         
>         PAM里面的session管理主要提供了两个函数,pam_open_session
>         pam_close_session
>         
>         我的疑问是, 我open session之后, 得到了什么样的环境. 在我执行过
>         open_session之后? PAM为我做了什么?
>         在pam_open_session 和pam_close_session之间 我得到了什么特权?
>         或者说什么样的特殊环境.
>         
>         
>         [2] 第二个问题关于PAM 里的设置credential
>         
>         我援引一下pam的函数介绍.
>         
>         On a Linux system the user's UID and GID's are credentials
>         too. However, it has been decided that these properties (along
>         with the default supplementary groups of which the user is a
>         member) are credentials that should be set directly by the
>         application and not by PAM. Such credentials should be
>         established, by the application, prior to a call to this
>         function. For example, initgroups(2) (or equivalent) should
>         have been performed.
>         
>         这句话, 也就是说我程序的组设置和uid设置, 是先于setcredential
>         的. 那我设置这个credential 有啥用处?我用它来做什么? 
>         
>         
>         int pam_setcred(pamh,  
>          flags); 
>         pam_handle_t *pamh;
>         int flags;
>          
>         
>         3.1.8.1. DESCRIPTION
>         
>         The pam_setcred function is used to establish, maintain and
>         delete the credentials of a user. It should be called to set
>         the credentials after a user has been authenticated and before
>         a session is opened for the user (with pam_open_session(3)).
>         The credentials should be deleted after the session has been
>         closed (with pam_close_session(3)).
>         
>         A credential is something that the user possesses. It is some
>         property, such as a Kerberos ticket, or a supplementary group
>         membership that make up the uniqueness of a given user. On a
>         Linux system the user's UID and GID's are credentials too.
>         However, it has been decided that these properties (along with
>         the default supplementary groups of which the user is a
>         member) are credentials that should be set directly by the
>         application and not by PAM. Such credentials should be
>         established, by the application, prior to a call to this
>         function. For example, initgroups(2) (or equivalent) should
>         have been performed.
>         
>         
>         
>         PAM的文档搜索起来很费劲.. 大部分的实例都是关于auth方面的..  这
>         个session方面的比较少.
>         请懂这方面的朋友给我示意下 这个session到底能做些什么?
>         
>         我现在在做C/S server端的开发.. 想引入pam做用户管理 最近在想这
>         个用户对话的保存, 不知道pam是否能满足条件.
>         
>         
>         再次致谢.
>         
>         --
>         Regards,
>         Guannan
>         
> 
> 
> 
> -- 
> Regards,
> Guannan
> 
> _______________________________________________
> gnome-cn-list mailing list
> gnome-cn-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-cn-list

Attachment: pam.tar
Description: Unix tar archive