Pam agent description


Purpose

The Pam agent (ag_pam) is used to access files in /etc/pam.d directory. It is part of YaST2 SCR, the system configuration repository, used to access configuration data on the target system. The general SCR API allows Read() and Write() access to get and change data.

Interface for pam-agent

The interface is implemented as a SCR agent with the usual Read() and Write() interface. The path prefix used is .pam.

Note: The complete development documentation is available in the autodocs/ directory.

Restrictions, limits and future enhancements

Agent can neither add nor remove line from the file. It only allows reading the file content or changing the options.

Read paths description

Path is <service>[.<type>.<module>], where
service is a PAM config file in /etc/pam.d
type is one of auth, session, password or acct
module is the name of a PAM module (e.g pam_unix2

For more info on these values see manual page (man pama).

Examples:

Let's have the file /etc/pam.d, whose first three lines are:
#%PAM-1.0
auth sufficient pam_krb5afs.so #use_first_pass
auth requisite pam_unix2.so nullok #set_secrpc

SCR::Read(.pam.login) returns the contents of whole /etc/pam.d/login file as the YCPList of lines, where each line is a YCPMap with the keys:

control with a values required, requisite, sufficient or optional
module PAM module
type (values auth, session, password or acct)
comment comment in the line

So the return value of above call could look like
[
$["comments":"%PAM-1.0"],
$["comments":"use_first_pass", "control":"sufficient", "module":"pam_krb5afs.so", "type":"auth"],
$["arguments":"nullok", "comments":"set_secrpc", "control":"requisite", "module":"pam_unix2.so", "type":"auth"],
etc.
]

SCR::Read(.pam.login.auth.pam_unix2) returns the line corresponding to the path. In this example, it is
[
$["arguments":"nullok", "comments":"set_secrpc", "control":"requisite", "module":"pam_unix2.so", "type":"auth"]
]

Write paths description

For writing it is needed full path in the form <service>[.<type>.<module>] and the argument which is in the form +value (for adding new option) or -value (for removing existing option).

Examples:
For the file above, we could modify the 2nd line by removing nullok option:
SCR::Write(.pam.login.auth.pam_unix2, "-nullok")

And to add an option for the auth type and krb5afs module:
SCR::Write(.pam.login.auth.pam_krb5afs, "+use_first_pass")

Now this is the look of the modified file:
#%PAM-1.0
auth sufficient pam_krb5afs.so use_first_pass #use_first_pass
auth requisite pam_unix2.so #set_secrpc

Return value of Write is YCPBoolean (operation success).

Thorsten Kukuk <kukuk@suse.de> (ag_pam), Jiri Suchomel <jsuchome@suse.cz> (this text)