You might be right, though it is my impression that not too many people
follow the discussions in SLED. I’ll cross post anyway.
Strictly speaking it was a question for OES as I have to do some
administrative tasks on my servers that require a Novell login done via
nwlogin as packed in novell-qtgui-cli. Thus the Novell Client that comes
with SLED is not installed.
Anyway, my problem is solved with using libpam-script-0.1.12 instead of
pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
commands within the user context instead of root.
You may get quicker results.[/color][/color]
[color=blue]
Anyway, my problem is solved with using libpam-script-0.1.12 instead of
pam-script-1.1.6 which results in running the nwlogin and nwrunscripts
commands within the user context instead of root.[/color]
It turn out I was too optimistic about this. It actually works as
described in TID 3416680 for a console login, but not for ssh. With ssh
I can’t do the nwlogin within the auth part. Different environment for
ssh as compared to a local login?
As a workaround I can store the password within onauth somewhere and
read it back within onsessionopen, doing the nwlogin there. This seems
to be fine, but is kind of dirty. Any other suggestions?
[QUOTE==?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;16959]Günther Schwarz wrote:[color=blue]
It turn out I was too optimistic about this. It actually works as
described in TID 3416680 for a console login, but not for ssh. With ssh
I can’t do the nwlogin within the auth part. Different environment for
ssh as compared to a local login?
[/QUOTE]
When you say you can’t do nwlogin within the auth part, does that mean you added the relevant lines to /etc/pam.d/sshd but it doesn’t work?
Something I’ve found helpful when debugging scripts being called by PAM modules is to add lines like
[CODE]debugfile=“/tmp/$(basename $0)”;
“${debugfile}”;
env > “${debugfile}”;[/CODE]
so I can see what various variables are being set to. (Obviously remember to remove that before production!)
I don’t have any SLED 10 machines any more or anything to log in to with nwlogin myself.
On a tangential note I’m curious as to why the TID describes using pam_script which is not included in SLED rather than pam_exec which is included in SLED. I used to use pam_script to do some things at login because that was a solution I found via Google and I was completely ignorant of pam_exec. When I discovered pam_exec I switched to using that. I had to tweak my scripts a bit but it does what I wanted to do as well as pam_script did.
Günther Schwarz wrote:[color=blue]
It turn out I was too optimistic about this. It actually works as
described in TID 3416680 for a console login, but not for ssh. With ssh
I can’t do the nwlogin within the auth part. Different environment for
ssh as compared to a local login?
[/color]
When you say you can’t do nwlogin within the auth part, does that mean
you added the relevant lines to /etc/pam.d/sshd but it doesn’t work?
Something I’ve found helpful when debugging scripts being called by PAM
modules is to add lines like
Code:
debugfile="/tmp/$(basename $0)";[color=green]
“${debugfile}”;[/color]
env > “${debugfile}”;
so I can see what various variables are being set to. (Obviously
remember to remove that before production!)[/color]
Yes, that helped a lot: Actually it turn out that nwlogin does need the
HOME variable to be set. This is available upon login on a terminal but
not in the auth section of a ssh login. So an
within the onauth script solved my problem. Thank you very much in indeed.
[color=blue]
On a tangential note I’m curious as to why the TID describes using
pam_script which is not included in SLED rather than pam_exec which is
included in SLED. I used to use pam_script to do some things at login
because that was a solution I found via Google and I was completely
ignorant of pam_exec. When I discovered pam_exec I switched to using
that. I had to tweak my scripts a bit but it does what I wanted to do as
well as pam_script did.[/color]
Maybe pam_exec is simply less known. I was also not aware of it, so
thanks for the hint. A quick first try shows that the scripts will
indeed need some tweaks as