Pluggable authentication modules

[bluefoxicy]

A future version of EyeOS should supply a pluggable authentication module structure like with MediaWiki.  This would allow an eyepackage to include a system-level add-on for authentication, and thus allow a separate module to provide browser pass-thru or LDAP/Active Directory log-on without further EyeOS core code modification.

This leaves two authentication strategies.  EyeOS could keep its authentication in its core and just overload it when a new authentication module gets selected.  Alternately, EyeOS could abstract its own core authentication from itself and simply come with a default authentication module.  EyeOS could also disallow removing the last installed authentication module.

A further consideration, the use of modules in a hierarchy becomes essential.  The basic authentication module might provide root log-on; then an LDAP module may provide domain log-in.  A user may want local users to override LDAP, or want LDAP to override local; in such a case, the user would have to rank modules so that the first in hierarchy to actually know about the user can allow/deny log-in.  If the top of the hierarchy doesn't contain information on the user, it should pass through to the next.

[Jose Carlos Norte]

Since 1.2 eyeOS have PAM included in the UM kernel service.

[Mathias]

could you give us an example how to auth via pam?

[Jose Carlos Norte]

PAM in eyeOS is Pluggable authentication Modules, this mean that you can create a module, for example, mysql and have your users in mysql and use this module to login against it.

[bluefoxicy]

Wiki page for example auth module?  I recommend a hard coded user/password module for simplicity (i.e. a php file has an array users['user_name'] = md5(password)).  That should supply skeletal infrastructure to avoid overwhelming the user with complex code examples (a lot of such examples also become basic MySQL or LDAP examples, which pollutes the core purpose).

[Mathias]

For example, I try to allow all local users (passwd/shadow) to login on eyeOS.
I suppose that I have to create a file for eyeOS in /etc/pam.d.
So first, what I have to do, that eyeOS know that it should use the file I created?

[AnthongRedbeard]

Mathias, as far as I know eyeOS is not setup to use server OS authentication yet. eyeOS has it's own authentication system and user management.

[Daniel Sousa]

I'm actually integrating eyeOS with the phpBB user manager, so users who have an account in the forum of my site (which are also used for other things in the site) can access to a eyeOS account.

How it is working:
-- A user must firstly register on the forum.
-- Then if the registered user wants to use also eyeOS, is just login in eyeOS with the forum user+pass and then eyeOS creates the user (after checking the db) and asks for a new pass (only for eyeOS).
-- After all, is just login in eyeOS with the pass created, it don't checks the db anymore for that user

[phx]

Hi guys,

I don't know if you've heard about this, but apparently Smartcard authentication for WebApps should be easier now:
http://www.gemalto.com/php/pr_view.php?id=257

SConnect is a platform and browser agnostic technology enabling web applications and services to connect to any smart card. Eliminating the need for middleware and working seamlessly with existing infrastructures, SConnect is a paradigm shift in Web-based service delivery that let applications leverage smart cards for security and personalization.

Something worth looking at, IMHO.
Tks,

Richard

[kccheng]

Hi,

PAM is a required feature I need to have before I can use eyeOS for real work (which I really want to).
I just take a quick look of eyeOS's source code.   Please let me explain what I understanding about
the PAM in eyeOS and please feel free to correct me if I were wrong.

The default eyeOS auth. use XML to record user's profile.  In order to create a new PAM method,
all I need to do is implement the following PHP interface:
 
    service_um_createUser($params = null)
    service_um_retriveUser($params = null)
    service_um_userExist($params = null)
    service_um_updateUser($params = null)
    service_um_deleteUser($params = null)
    service_um_login($params = null)
    service_um_getCurrentGroups()
    service_um_getCurrentUserDir()
    service_um_checkAdminPermissions()
    service_um_getUserDir($params=null)
    service_um_getUserFilePath($params=null)

Am I correct ?   Thanks


Regards
KC