The advantage of using PAM is that it handles all the mechanisms for authenticating users. It takes care of the encryption algorithms: crypt, MD5, etc. It also will handle users authenticated through LDAP, Samba, NIS, or something else.

You can actually use pam to uthenticate as a normal user. You never get to see the encrypted password, but the pam lib tells you whether the password you are giving is right or not. Here is a quick example (cut & paste from the Authen::PAM perldocs):

#!/usr/bin/perl -w

use strict;

use Authen::PAM;

my $login_name = getpwuid($<);

sub conversation {
    my @res;
    while ( @_ ) {
    my $msg_type = shift;
    my $msg = shift;
    
    my $ans = "put your password here";
    push @res, (0,$ans);
    }
    push @res, PAM_SUCCESS();
    return @res;
}


my $pamh;
pam_start("passwd", $login_name, \&conversation, $pamh);
print pam_authenticate($pamh);
pam_end($pamh);
[download]

The outcome changes depending on whether the password is correct.
Cheers

Antonio

The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket

OK, I'm confused. So if I use the AUTHEN::PAM module, I will or won't be able to authenticate users from a CGI script based on their UNIX account/password pairs? I don't actually care about direct access to the shadow file, as long as I can make those authentications...