I have written a PAM (Pluggable Authentication Module) for our WIBS booking
system that talks SOAP to carry out authentication, and I would love to
hear from someone who has worked with PAM and the Linux Terminal Server
Project (LTSP) to get some pointers on configuration. By default, PAM is
configured on most Red Hat machines as something like:
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
In order to use custom authentication, I changed the settings to the
following:
auth required /wibs/pam_wibs.so url=http://wibshost:8080/wibssoap station=TEST01 userid=arhyno # all one line
auth required pam_securetty.so
auth required pam_nologin.so
account required /lib/security/pam_unix.so use_first_pass use_authtok debug
password required /lib/security/pam_unix.so use_first_pass use_authtok debug
session required /lib/security/pam_unix.so
session optional pam_console.so
This seems to do everything I want, the custom authentication is handled by
the pam_wibs plugin, while the session itself is assigned the permissions
of the user identified by the "userid=" parameter (the authentication is
based on barcode so the stations need to pick up user permissions rather
than creating a userid for every patron). However, this is for a regular login,
and I suspect sites that use LTSP have implemented PAM to plug in their
own authentication. We have a batch of old javastations that can talk to
our linux servers but it's hard to extrapolate from that somewhat peculiar
setup to how it should work with LTSP. I would also be super-interested if
anyone has used PAM as an alternative login mechanism for OS/X, it is
supported but seems to require some special configuration.
art