SuSE loading PAM?

[Joe Lewis]

Jason Gerfen wrote:

> I am writting a pam module and it works fine, does simple logging of 
> login attempts etc.  The problem with this is it only seems to load if I 
> use the /etc/pam.d/gdm file to load it.

For all Gnome Display Manager login's, it will use the gdm file.

> From what I understand about PAM the /etc/pam.d/login file should be 
> the one to load the module to log authentication attempts correct?

/etc/pam.d/login is used for text-console-based logins.  This is the 
beauty of PAM - different login mechanisms for different services.

> Second question, as I am writting this I attempt to get the current 
> owner of the process and it is coming up as UID & EUID as 3?  Is this a 
> system user?  I could not google up anything on this behavior.

Look in /etc/passwd for the account with UID of 3.

> My third question is if PAM is not running as the root user is there an 
> existing module that will switch to the root user on the fly in order to 
> run some authentication commands before returning to the normal user?  
> Any help is appreciated...

There is no mechanism to switch to root for the authentication.  Often, 
a service will be running as root.  When an authentication request comes 
in, a separate process will be fork()ed, and that process switches from 
root to the user that just authenticated, while the service starts 
listening again for new connections.

If you build a PAM-aware application, make sure that it is executed as 
root, or any authentications will fail (because only root has access to 
the shadow password files).

I was playing with a test application, and it would only allow the 
current user to authenticate.  As soon as the application became root 
and could gain access to the shadow files, I could authenticate any user 
in the files.

I hope I've answered a few questions in my ramblings.  Let me know if I 
haven't.

Joe