[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NIS+ - Package (fwd)

Can anybody help with this keylogin module / getsecretkey  questions?

Ben?


Thanks.

--Rainer.
--- Begin Message --- 
Here's the report.

 Install Potato with pam-0.69 (no more need for pam_unix2 from kukuk)
 Install pam_keylogin 
 Install nisutils 1.1
 I'll send you my  /etc/nsswitch.conf in another mail (sorry I not on the
right machine) 
 Install the domainname binary
 Install my /etc/init.d/nisplus_client script (you have it) and the links
        into /etc/rc*.d 
 

 Change in /etc/pam.d/login :
  
 the line 
             auth  required pam_unix.so
 should be followed immediately by
             auth  required pam_keylogin.so use_first_pass

 Put the Debian client into the admin group on the SUN NIS+ server.
 
 reboot
 enjoy :-)

 Important : the nis+_client.deb must conflict with nis.deb but must
include the dommainname command.
 
 IMPORTANT : I suggest that the pam_keylogin module is inserted AS SOON AS
POSSIBLE into the libpam-modules.deb (I don't remember who is the
maintener I hope is in your alias)  
 
 watch your mail I send you some files.

Seb

 
Sebastien Chaumat
Laboratoire de Physique
Ecole Normale Superieure de Lyon

--- End Message ---
--- Begin Message --- 
	Hello, 

 So there's still a problem. The pam keylogin module still has a
problem. We were mistaken by the fact we had done already a
keylogin so the keyserv process still remembered our secret keys.

	Logging in from scratch is possible but a user is still not
authentified (in the nisplus sense). So it seems to us that the problem is
localized in the pam_keylogin.

	Regards,			Seb. & Pascal.

 

Sebastien Chaumat
Laboratoire de Physique
Ecole Normale Superieure de Lyon

--- End Message ---
--- Begin Message --- 
	Hello,

	Hum... After some thought, we have a naive question... The
keylogin module gets the user's secret key from the getsecretkey
function which is part of the glibc library. But this function has te be
able to send requests to the NIS+ server to  get an answer as it is told
in the /etc/nsswitch.conf file.

	Are we sure that the popato glibc is able to do that ? Maybe
you could forward this to the debian glibc people ? 

	Regards,			Seb. & Pascal.


Sebastien Chaumat
Laboratoire de Physique
Ecole Normale Superieure de Lyon

--- End Message ---
--- Begin Message --- 
 Hi 

 Comparing pam_keylogin.c and keylogin.c it appears that:

1) in keylogin.c (works well) there is :

 getnetname (fullname);
  if (!getsecretkey (fullname, (char *)&net.st_priv_key,
		     getpass (_("Password:"))))

2) in pam_keylogin.c (doesn't work) there is :

 if (!getsecretkey (fullname, (char *)&net.st_priv_key, p))

 and netname is obtained from :

   if (user_pwd && user_pwd->pw_uid == 0)
    {
      char hostname[MAXHOSTNAMELEN + 1];

      gethostname (hostname, MAXHOSTNAMELEN);
      snprintf (netname, MAXNETNAMELEN, "unix.%s@%s", hostname, domain);
    }
  else
    {
      snprintf (netname, MAXNETNAMELEN, "unix.%d@%s", user_pwd->pw_uid,
		domain);
    }

 I feel that the problem is there and that pam_keylogin should use a
getnetname(netname) instead.

 I'm not a C programmer so my attemps are not supposed to work...

Seb,

Sebastien Chaumat
Laboratoire de Physique
Ecole Normale Superieure de Lyon

--- End Message ---
Reply to: