[Westwales] pam_usb + xscreensaver
Matthew Bennett
mwb3 at aber.ac.uk
Mon Feb 6 08:00:16 GMT 2006
Mark Illsley wrote:
> hi all.
> ive just setup pam_usb on a ubuntu system. I have got sudo,gdm and Login
> working but I am having
> a real problem with xscreensaver, any thoughts would be great. here is
> the line that I have entered.
>
> auth required pam_usb.so fs=vfat check_device=-1 force_device=/dev/sda1
> log_file=/var/log/pam_usb.log allow_remote !check_device
>
> Thanks again in advance
>
Hi Mark,
Please bear in mind I've never used pam (didn't know what it was before
your email!) however I found a FAQ to tell me what it was, and I think I
might have stumbled over something close to the answer...
Hope this helps,
Matthew
-------------------------------
(Extract taken from http://www.kernel.org/pub/linux/libs/pam/FAQ)
Q9: xlock and foobar don't work with shadow passwords
This may be to do with the fact that 'xlock' (or 'foobar') does not
have permission to read the /etc/shadow file. The simlpest thing to do
to overcome this, is to setuid (chown root `which xlock` && chmod +s
`which xlock`). To my knowledge no one has verified that xlock cannot
be made to launch a root-owned shell this way, so think twice before
you do this.
The unix and pwdb modules can use the help of a helper binary to
verify the password field ** for the current user **. So an
alternative to making xlock setuid is to use the pam_unix or pam_pwdb
modules for authentication.
If this still doesn't work check the /etc/log/messages file for a
clue... If the module complains that it cannot open the configuration
file, check the access permissions on the /etc/pam.conf (OR
/etc/pam.d/) file (directory).
For 'foobar' applications the situation may be more complicated.
Generally, this is because the foobar application wants to
authenticate users other than the one that invoked them. As such, the
helper programs used by the unix and pwdb modules will refuse to check
the corresponding password. If you want to get around this problem
then you need to do something to give the foobar program more general
access to the /etc/shadow file. A simple thing to do is to make the
foobar program setgid - shadow, and make the /etc/shadow file's group
ownership the shadow group (chgrp shadow /etc/shadow), with read
access for that group (chmod g+r /etc/shadow).
More information about the Westwales
mailing list