Chapter 33: PAM
I have a couple of questions about PAM. Maybe someone knows answers to them and can help me out.
- On the page PAM Rules one can read:
auth: Instructs the application to prompt the user for identification (username, password, etc). May set credentials and grant privileges.
Do I undrestand that correctly? If a PAM-aware application wants to authenticate a user, ...
- It calles PAM with the type auth.
- PAM loads all modules related to auth for that application.
- If one of these modules requires a username and password, it asks the application to ask the user to supply a username and a password.
- The applications prompts the user for a username and a password.
- The application send these inputs back to PAM.
- And the PAM modules verify that they are correct.
- If that is how it works, that means all PAM aware applications must have some kind of callback function that PAM modules can invoke to "communicate" with user of the application. And PAM modules don't interact with the user directly. Correct?
- If point 2 is true, what happens if I as a system administrator want to change the way users have to authenticate for a certain application/service. For example I want the user to sing a song and I write a PAM module (song_chk) that checks if the user knows the lyrics and sings sufficiently well. Now my song_chk module would have to ask the application to ask the user to sing a song, record it, and send the audio back to the song_chk for verification. Somehow I can't imagine that's how this would work, because that would mean that any PAM aware application would have to be able to ask the user for any kind of input and be able to pass any kind of user input to PAM.
Well, any help is highly appreciated. Thanks!