On Tue, 8 Jun 2021 at 12:27, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote:
On Tue, Jun 8, 2021 at 10:51 AM Tom Hughes <tom@xxxxxxxxxx> wrote:
>
> On 08/06/2021 14:51, Stephen Gallagher wrote:
>
> > I was thinking about suggesting a similar PAM module to convert
> > existing hashes, but I suspect that we'd be coming up against some
> > issues with security policy and separation of actions. Right now, I
> > expect that SELinux permits PAM processes to have read-only access to
> > /etc/shadow, but such a change would necessitate read/write access,
> > which is riskier. It's also why PAM has separate activities for
> > authentication, authorization and password-change.
>
> Surely it has to allow write as well because any authentication can
> already prompt for a password change if the password is expired?
>
It's been a while, but I *think* I remember that PAM sends back an
"expired password" message and the client application (eg. `login`)
then calls the pam_chpass() stack.
___
I believe it is something like that. mainly because there are many systems where a password change is a major auditable event and you only want those generated from specific systems and then pushed out. [Yes this doesn't fit well with the world of today, but the PAM stack was written for the security policies and actions of the late 1980's/early 1990's... ]
Stephen J Smoogen.
I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot.
I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
