On Wed, 2013-11-13 at 13:59 -0700, Orion Poplawski wrote: > On 11/12/2013 07:25 PM, Jeff Layton wrote: > > On Tue, 12 Nov 2013 23:22:57 +0000 (UTC) > > Orion Poplawski <orion@xxxxxxxxxxxxx> wrote: > > > >> Has anyone started work on a pam module to set the cifs keys on login? Is > >> this sensible? > >> > >> - Orion > >> > > > > Quite sensible. No one is working on it that I know of... > > > > How does this seem? > > - I pulled a couple shared routines out of cifscreds.c into cifskey.[hc]. > - We build the pam_cifscreds.so directly from all of the source to get -fpic. > > I've tested with: > > /etc/pam.d/login > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so > auth substack system-auth > auth optional pam_cifscreds.so > auth include postlogin > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be executed in > the user context > session required pam_selinux.so open > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session include system-auth > session optional pam_cifscreds.so domain=CO-RA > session include postlogin > -session optional pam_ck_connector.so > > and it seems to work. > > I tried putting it into system-auth but no luck. Not sure what is up there. > Uhm doesn't this code store the user password in the clear in a key that is explicitly made readable to any process of the user in the same session ? Simo. -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
