r1028 - in trunk: . OLD

archaic at linuxfromscratch.org archaic at linuxfromscratch.org
Sun Apr 2 09:28:50 PDT 2006


Author: archaic
Date: 2006-04-02 10:28:48 -0600 (Sun, 02 Apr 2006)
New Revision: 1028

Added:
   trunk/OLD/execute-session-scripts-using-kdm-and-pam.txt
   trunk/execute-session-scripts-using-kdm.txt
Removed:
   trunk/execute-session-scripts-using-kdm-and-pam.txt
Log:
Added execute-session-scripts-using-kdm.txt (supercedes execute-session-scripts-using-kdm-and-pam.txt written by same author).

Copied: trunk/OLD/execute-session-scripts-using-kdm-and-pam.txt (from rev 1025, trunk/execute-session-scripts-using-kdm-and-pam.txt)
===================================================================
--- trunk/OLD/execute-session-scripts-using-kdm-and-pam.txt	                        (rev 0)
+++ trunk/OLD/execute-session-scripts-using-kdm-and-pam.txt	2006-04-02 16:28:48 UTC (rev 1028)
@@ -0,0 +1,314 @@
+AUTHOR: Stef Bon <stef at bononline dot nl>
+
+DATE: 2006-01-30
+
+LICENSE: GNU Free Documentation License Version 1.2
+
+SYNOPSIS: Execute scripts at begin and end of a KDE-session using KDM and PAM.
+
+DESCRIPTION:
+
+This hint is about the ability to execute scripts when a KDE session starts 
+and when it stops. 
+
+Earlier I wrote a hint about this using PAM, with the help of the module pam_script. 
+I discovered that PAM is not the best place to do so. PAM is not the place to start 
+scripts, KDM is. KDM provides a very easy way via the Xstartup and Xreset files to 
+execute scripts. PAM has the abilty to do something with the credentials provided 
+at login, with the help of a module called pam_script. 
+
+I'm trying to combine those two.
+
+
+warning:
+
+I use PAM and a module called pam_script to store the credentials provided at
+login (the username and the password!!) for authentication against SMB servers, when 
+mounting shares or browsing the network with fusesmb.
+This looks a little bit like Single Sign On, but it isn't!! The credentials are stored in 
+a subdirectory of the homedir (~/.cifs/mount.cifs.conf and ~/.smb/fusesmb.conf), with enough security at runtime.
+But somebody can still find them being root, or with a LiveCD. The credentials are stored
+plaintext, no encryption!!
+
+So, this should never be used in an environment where you can't trust your users!
+
+
+ATTACHMENTS:
+
+
+PREREQUISITES:
+This hint requires sufficient knowledge of LINUX in general, and scripts in particular.
+
+HINT:
+
+Content:
+1. KDM: the files
+2. PAM: the files
+2.1 Installation of pam_script
+2.2 Adjusting pam configuration
+2.3 Creating the onauth script
+3. TODO and suggestions
+
+
+1. KDM: the files
+-----------------
+
+KDM uses some files to start and stop:
+
+. Xstartup 
+run as root, after a user succesfully logs in. 
+
+. Xsession
+runs with permissions of the authorized user, to start the desired session (KDE).
+
+. Xreset
+run as root, after the user session has ended.
+
+Where Xstartup is the place to start things up, Xreset is the place to undo these commands.
+
+For more information about these files look at the handbook of KDM.
+
+By adding the following code to the Xstartup file:
+
+
+-- snip --
+
+for script in /etc/session.d/kdm/startup/*.sh; do
+
+	if [ -x $script ]; then
+	
+		eval $script $USER
+
+	fi;
+
+done;
+
+
+and the code to the Xreset file:
+
+
+-- snip --
+
+for script in /etc/session.d/kdm/reset/*.sh; do
+
+	if [ -x $script ]; then
+	
+		eval $script $USER
+
+	fi;
+
+done;
+
+
+Create the directories where the scripts go:
+
+install -m755 -d /etc/session.d/kdm/startup
+install -m755 -d /etc/session.d/kdm/reset
+
+The files in these directories must be accessible for every ordinary user: 
+therefore the permissions are 755. 
+All scripts in these directories should have the same permissions: 755.
+
+Every user should be able to execute the script, but only root is able to modify 
+them.
+
+
+2. PAM: the files
+-----------------
+
+My version of PAM is 0.80. 
+I using pam-script to make credentials provided at login available for password
+sensitive programs like mount.cifs and fusesmb. If this is not what you want, skip 
+this section. 
+Also be aware of the "danger" of this construction, as already stated in the 
+DESCRIPTION.
+
+
+2.1 installation of pam_script
+------------------------------
+
+Get the module pam_script from http://freshmeat.net/projects/pam_script. 
+I'm using version 0.1.6.
+
+unpack:
+
+tar -xzf pam-script-*.tar.gz
+
+compile and move to the proper place:
+
+cd pam-script-*
+
+make
+mv pam_script.so /lib/security
+chown root:root /lib/security/pam_script.so
+chmod 755 /lib/security/pam_script.so
+
+
+2.2 Adjusting pam configuration
+-------------------------------
+
+
+Adjusting the /etc/pam.d/login file:
+
+
+Pam_script has the ability (from version 0.1.5) to get the password provided at login, 
+and make this available via an environmentvariable PAM_AUTHTOK to scripts. 
+Insert it in the authpart:
+
+-- snip --
+
+auth		required	pam_shells.so
+auth		required	pam_script.so expose=1
+auth		sufficient	pam_unix.so use_first_apss
+auth		required	pam_ldap.so use_first_pass
+
+
+When using other ways for users to login than the standard, like a X-based login as kdm,
+adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
+kde-service, which is a symlink to the login-service:
+
+cd /etc/pam.d
+
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
+-rw-r--r--   1 root root  931 2005-07-19 13:20 login
+
+
+Notes:
+
+- the pam_script.so uses some parameters. All of them are described in the README in the
+source directory.
+I use expose=1 in the autpart because I want the password to be used by fusesmb and mount.cifs.
+
+
+2.3 Creating the onauth script
+------------------------------
+
+
+The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
+/etc/security directory. 
+
+
+cat >> /etc/security/onauth << "EOF"
+#!/bin/bash
+
+userid=$1
+service=$2
+userproperties=$(getent passwd | grep -E "^$userid")
+
+if [ -z "$userproperties" ]; then
+
+    #
+    # userproperties not found: something wrong
+    #
+
+    echo "User not found."
+    exit
+
+fi;
+
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+nrusers=$(w -h $userid | wc -l);
+
+if [ $nrusers -eq 0 ]; then
+
+    if [ -d /etc/session.d/pam ]; then
+
+	for script in /etc/session.d/pam/onauth/*.sh; do
+	
+	    if [ -x $script ]; then
+
+		eval $script $userid $service $PAM_AUTHTOK
+
+	    fi;
+	done;
+	
+    fi;
+
+fi;
+
+exit 0
+
+EOF
+
+chown root:root /etc/security/onauth
+chmod 755 /etc/security/onauth
+
+
+Create the following directories:
+
+mkdir -p /etc/session.d/pam/onauth
+
+Here is where the scripts will go.
+
+
+Notes:
+
+-  as you can see I use the command "w" to determine the users logged in. 
+Other utilities as who, users and last gave not reliable information. It 
+looks as if the utmp file is not always presenting the right values. 
+Utilities as who,users and last show information from utmp without any check, so 
+they inherit the faults. 'w' does some extra checking, which makes it more 
+usable. 
+
+Other pammodules, like pam_mount, have other ways to keep track of the amount of logins 
+per user. With pam_mount a seperate file (/var/run/pam_mount/$userid) is created for
+this purpose.
+
+Anyone knowing a better way to determine how many times a user is logged 
+in, please let me know.
+
+- I choose to execute the script only when it's the first time a user logs in.
+It's also possible to leave that to the scripts (in /etc/session.d/pam/).
+
+- pam_script is able to execute scripts when a sessions starts, and when is ends 
+(pam_script calls it onsessionopen and onsessionclose). 
+I've used this, but not anymore. These scripts I now put in /etc/session.d/kdm/startup and 
+/etc/session.d/kdm/reset.
+
+
+
+3. TODO and suggestions
+-----------------------
+
+The construction is working, but is not complete:
+
+- it does no logging and proper userfeedback (on the screen) 
+with the hint xconsole_setup.txt (unmaintained: in hints/downloads/files)
+you'll find a way to launch xconsole at startup by root. Using logger and 
+adjusting /etc/syslog.conf it's possible to write messages to it, which
+appear just before the splash screen of KDE comes up.
+
+
+- scripts are executed in the order the command
+
+for script in /etc/session.d/kdm/startup/*.sh; do
+
+works.
+
+Maybe there should be an order. Some scripts first and others later. Just like
+the rc script works to start and stop scripts in the /etc/rc.d structure.
+
+
+- I'm testing FreeNX now. It turns your desktop into a terminalserver for
+X11 sessions. You should test it!
+There is a hint for LFS already!! 
+It does not work with KDM, so does nothing with the construction I'm using.
+I'll check this is a sollution.
+
+
+ACKNOWLEDGEMENTS:
+  * Thanks to the author of pam_script, Izak Burger, for his module and 
+    some usefull hints.
+
+CHANGELOG:
+[2006-01-15]
+  * Initial hint.
+[2006-01-30]
+  * added chapter 3. TODO and suggestions
+
+TODO:
+  * add logging via xconsole

Deleted: trunk/execute-session-scripts-using-kdm-and-pam.txt
===================================================================
--- trunk/execute-session-scripts-using-kdm-and-pam.txt	2006-04-02 16:25:03 UTC (rev 1027)
+++ trunk/execute-session-scripts-using-kdm-and-pam.txt	2006-04-02 16:28:48 UTC (rev 1028)
@@ -1,314 +0,0 @@
-AUTHOR: Stef Bon <stef at bononline dot nl>
-
-DATE: 2006-01-30
-
-LICENSE: GNU Free Documentation License Version 1.2
-
-SYNOPSIS: Execute scripts at begin and end of a KDE-session using KDM and PAM.
-
-DESCRIPTION:
-
-This hint is about the ability to execute scripts when a KDE session starts 
-and when it stops. 
-
-Earlier I wrote a hint about this using PAM, with the help of the module pam_script. 
-I discovered that PAM is not the best place to do so. PAM is not the place to start 
-scripts, KDM is. KDM provides a very easy way via the Xstartup and Xreset files to 
-execute scripts. PAM has the abilty to do something with the credentials provided 
-at login, with the help of a module called pam_script. 
-
-I'm trying to combine those two.
-
-
-warning:
-
-I use PAM and a module called pam_script to store the credentials provided at
-login (the username and the password!!) for authentication against SMB servers, when 
-mounting shares or browsing the network with fusesmb.
-This looks a little bit like Single Sign On, but it isn't!! The credentials are stored in 
-a subdirectory of the homedir (~/.cifs/mount.cifs.conf and ~/.smb/fusesmb.conf), with enough security at runtime.
-But somebody can still find them being root, or with a LiveCD. The credentials are stored
-plaintext, no encryption!!
-
-So, this should never be used in an environment where you can't trust your users!
-
-
-ATTACHMENTS:
-
-
-PREREQUISITES:
-This hint requires sufficient knowledge of LINUX in general, and scripts in particular.
-
-HINT:
-
-Content:
-1. KDM: the files
-2. PAM: the files
-2.1 Installation of pam_script
-2.2 Adjusting pam configuration
-2.3 Creating the onauth script
-3. TODO and suggestions
-
-
-1. KDM: the files
------------------
-
-KDM uses some files to start and stop:
-
-. Xstartup 
-run as root, after a user succesfully logs in. 
-
-. Xsession
-runs with permissions of the authorized user, to start the desired session (KDE).
-
-. Xreset
-run as root, after the user session has ended.
-
-Where Xstartup is the place to start things up, Xreset is the place to undo these commands.
-
-For more information about these files look at the handbook of KDM.
-
-By adding the following code to the Xstartup file:
-
-
--- snip --
-
-for script in /etc/session.d/kdm/startup/*.sh; do
-
-	if [ -x $script ]; then
-	
-		eval $script $USER
-
-	fi;
-
-done;
-
-
-and the code to the Xreset file:
-
-
--- snip --
-
-for script in /etc/session.d/kdm/reset/*.sh; do
-
-	if [ -x $script ]; then
-	
-		eval $script $USER
-
-	fi;
-
-done;
-
-
-Create the directories where the scripts go:
-
-install -m755 -d /etc/session.d/kdm/startup
-install -m755 -d /etc/session.d/kdm/reset
-
-The files in these directories must be accessible for every ordinary user: 
-therefore the permissions are 755. 
-All scripts in these directories should have the same permissions: 755.
-
-Every user should be able to execute the script, but only root is able to modify 
-them.
-
-
-2. PAM: the files
------------------
-
-My version of PAM is 0.80. 
-I using pam-script to make credentials provided at login available for password
-sensitive programs like mount.cifs and fusesmb. If this is not what you want, skip 
-this section. 
-Also be aware of the "danger" of this construction, as already stated in the 
-DESCRIPTION.
-
-
-2.1 installation of pam_script
-------------------------------
-
-Get the module pam_script from http://freshmeat.net/projects/pam_script. 
-I'm using version 0.1.6.
-
-unpack:
-
-tar -xzf pam-script-*.tar.gz
-
-compile and move to the proper place:
-
-cd pam-script-*
-
-make
-mv pam_script.so /lib/security
-chown root:root /lib/security/pam_script.so
-chmod 755 /lib/security/pam_script.so
-
-
-2.2 Adjusting pam configuration
--------------------------------
-
-
-Adjusting the /etc/pam.d/login file:
-
-
-Pam_script has the ability (from version 0.1.5) to get the password provided at login, 
-and make this available via an environmentvariable PAM_AUTHTOK to scripts. 
-Insert it in the authpart:
-
--- snip --
-
-auth		required	pam_shells.so
-auth		required	pam_script.so expose=1
-auth		sufficient	pam_unix.so use_first_apss
-auth		required	pam_ldap.so use_first_pass
-
-
-When using other ways for users to login than the standard, like a X-based login as kdm,
-adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
-kde-service, which is a symlink to the login-service:
-
-cd /etc/pam.d
-
-lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
-lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
--rw-r--r--   1 root root  931 2005-07-19 13:20 login
-
-
-Notes:
-
-- the pam_script.so uses some parameters. All of them are described in the README in the
-source directory.
-I use expose=1 in the autpart because I want the password to be used by fusesmb and mount.cifs.
-
-
-2.3 Creating the onauth script
-------------------------------
-
-
-The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
-/etc/security directory. 
-
-
-cat >> /etc/security/onauth << "EOF"
-#!/bin/bash
-
-userid=$1
-service=$2
-userproperties=$(getent passwd | grep -E "^$userid")
-
-if [ -z "$userproperties" ]; then
-
-    #
-    # userproperties not found: something wrong
-    #
-
-    echo "User not found."
-    exit
-
-fi;
-
-homedir=$(echo $userproperties | cut -d ":" -f 6);
-gidnr=$(echo $userproperties | cut -d ":" -f 4);
-uidnr=$(echo $userproperties | cut -d ":" -f 3);
-
-nrusers=$(w -h $userid | wc -l);
-
-if [ $nrusers -eq 0 ]; then
-
-    if [ -d /etc/session.d/pam ]; then
-
-	for script in /etc/session.d/pam/onauth/*.sh; do
-	
-	    if [ -x $script ]; then
-
-		eval $script $userid $service $PAM_AUTHTOK
-
-	    fi;
-	done;
-	
-    fi;
-
-fi;
-
-exit 0
-
-EOF
-
-chown root:root /etc/security/onauth
-chmod 755 /etc/security/onauth
-
-
-Create the following directories:
-
-mkdir -p /etc/session.d/pam/onauth
-
-Here is where the scripts will go.
-
-
-Notes:
-
--  as you can see I use the command "w" to determine the users logged in. 
-Other utilities as who, users and last gave not reliable information. It 
-looks as if the utmp file is not always presenting the right values. 
-Utilities as who,users and last show information from utmp without any check, so 
-they inherit the faults. 'w' does some extra checking, which makes it more 
-usable. 
-
-Other pammodules, like pam_mount, have other ways to keep track of the amount of logins 
-per user. With pam_mount a seperate file (/var/run/pam_mount/$userid) is created for
-this purpose.
-
-Anyone knowing a better way to determine how many times a user is logged 
-in, please let me know.
-
-- I choose to execute the script only when it's the first time a user logs in.
-It's also possible to leave that to the scripts (in /etc/session.d/pam/).
-
-- pam_script is able to execute scripts when a sessions starts, and when is ends 
-(pam_script calls it onsessionopen and onsessionclose). 
-I've used this, but not anymore. These scripts I now put in /etc/session.d/kdm/startup and 
-/etc/session.d/kdm/reset.
-
-
-
-3. TODO and suggestions
------------------------
-
-The construction is working, but is not complete:
-
-- it does no logging and proper userfeedback (on the screen) 
-with the hint xconsole_setup.txt (unmaintained: in hints/downloads/files)
-you'll find a way to launch xconsole at startup by root. Using logger and 
-adjusting /etc/syslog.conf it's possible to write messages to it, which
-appear just before the splash screen of KDE comes up.
-
-
-- scripts are executed in the order the command
-
-for script in /etc/session.d/kdm/startup/*.sh; do
-
-works.
-
-Maybe there should be an order. Some scripts first and others later. Just like
-the rc script works to start and stop scripts in the /etc/rc.d structure.
-
-
-- I'm testing FreeNX now. It turns your desktop into a terminalserver for
-X11 sessions. You should test it!
-There is a hint for LFS already!! 
-It does not work with KDM, so does nothing with the construction I'm using.
-I'll check this is a sollution.
-
-
-ACKNOWLEDGEMENTS:
-  * Thanks to the author of pam_script, Izak Burger, for his module and 
-    some usefull hints.
-
-CHANGELOG:
-[2006-01-15]
-  * Initial hint.
-[2006-01-30]
-  * added chapter 3. TODO and suggestions
-
-TODO:
-  * add logging via xconsole

Added: trunk/execute-session-scripts-using-kdm.txt
===================================================================
--- trunk/execute-session-scripts-using-kdm.txt	                        (rev 0)
+++ trunk/execute-session-scripts-using-kdm.txt	2006-04-02 16:28:48 UTC (rev 1028)
@@ -0,0 +1,146 @@
+AUTHOR: Stef Bon <stef at bononline dot nl>
+
+DATE: 2006-03-21
+
+LICENSE: GNU Free Documentation License Version 1.2
+
+SYNOPSIS: Execute scripts at begin and end of a KDE-session using KDM.
+
+DESCRIPTION:
+
+This hint is about the ability to execute scripts when a KDE session starts 
+and when it stops. 
+
+Earlier I wrote a hint about this using PAM, with the help of the module 
+pam_script. I discovered that PAM is not the best place to do so. PAM is not 
+the place to start scripts, KDM is. KDM provides a very easy way via the 
+Xstartup and Xreset files to execute scripts. PAM has the abilty to do something 
+with the credentials provided at login, with the help of a module called 
+pam_script. 
+
+Original hint is on linux.bononline.nl, 
+"Installation and configuration of sessionscripts using KDM".
+
+
+ATTACHMENTS:
+
+
+PREREQUISITES:
+This hint requires sufficient knowledge of LINUX in general, and scripts in 
+particular.
+
+HINT:
+
+Content:
+1. KDM: the files
+2. TODO and suggestions
+
+
+1. KDM: the files
+-----------------
+
+KDM uses some files to start and stop:
+
+. Xstartup 
+run as root, after a user succesfully logs in. 
+
+. Xsession
+runs with permissions of the authorized user, to start the desired session (KDE).
+
+. Xreset
+run as root, after the user session has ended.
+
+Where Xstartup is the place to start things up, Xreset is the place to undo these 
+commands.
+
+For more information about these files look at the handbook of KDM.
+
+By adding the following code to the Xstartup file:
+
+
+-- snip --
+
+for script in /etc/session.d/kdm/startup/*.sh; do
+
+	if [ -x $script ]; then
+	
+		eval $script $USER kdm
+
+	fi;
+
+done;
+
+
+and the code to the Xreset file:
+
+
+-- snip --
+
+for script in /etc/session.d/kdm/reset/*.sh; do
+
+	if [ -x $script ]; then
+	
+		eval $script $USER kdm
+
+	fi;
+
+done;
+
+
+Create the directories where the scripts go:
+
+install -m755 -d /etc/session.d/kdm/startup
+install -m755 -d /etc/session.d/kdm/reset
+
+The files in these directories must be accessible for every ordinary user: 
+therefore the permissions are 755. 
+All scripts in these directories should have the same permissions: 755.
+
+Every user should be able to execute the script, but only root is able to 
+modify them.
+
+
+
+2. TODO and suggestions
+-----------------------
+
+The construction is working, but is not complete:
+
+- it does no logging and proper userfeedback (on the screen) 
+with the hint xconsole_setup.txt (unmaintained: in hints/downloads/files)
+you'll find a way to launch xconsole at startup by root. Using logger and 
+adjusting /etc/syslog.conf it's possible to write messages to it, which
+appear just before the splash screen of KDE comes up.
+
+
+- scripts are executed in the order the command
+
+for script in /etc/session.d/kdm/startup/*.sh; do
+
+works.
+
+Maybe there should be an order. Some scripts first and others later. Just 
+like the rc script works to start and stop scripts in the /etc/rc.d structure.
+
+
+- I'm testing FreeNX now. It turns your desktop into a terminalserver for
+X11 sessions. You should test it!
+There is a hint for LFS already!! 
+It does not work with KDM, so does nothing with the construction I'm using.
+I'll check for a sollution.
+
+
+ACKNOWLEDGEMENTS:
+  * Thanks to the author of pam_script, Izak Burger, for his module and 
+    some usefull hints.
+
+CHANGELOG:
+[2006-01-15]
+  * Initial hint.
+[2006-01-30]
+  * added chapter 3. TODO and suggestions
+[2006-03-21]
+  * removed all PAM related chapters. Soon a new hint only about this will follow.
+
+TODO:
+  * add logging via xconsole




More information about the hints mailing list