On Mon, 19 Aug 2002 17:35:06 +0300 Tanel Kokk <tanel.kokk@eyp.ee> wrote: > I have imap server and authentication is done by pam. Now I want > implement such authentication schema: > > - users from ALL are authenticated by traditional pam module (like > pam_unix.so) OR by ourself created pam module (lets call it > pam_myself.so)- users from special machine are authenticated only by > module pam_myself.so and BY NO MODULE ELSE! > > Is there some inteligent way to do so? Of cource, there are possible > to modify imap server source and run two different imap server (with > different listening port and pam service), but I do not prefere do > that, since there are some more inteligent way. > > Btw. modifying module pam_myself.so is on our hands. > > > Tanel > > my platform > OS: Linux > Distr: RedHat7.3 > imap: uw-imap (imap-2000c-15) > pam: pam-0.75-19 > Tanel, I think you can work out this issue by using PAM module stacking and the pam_access module. This module allows you to grant or deny access to users by reading the file /etc/security/access.conf, where you can associate usernames, ttys, hostnames ... (have a look at /usr/share/doc/pam-0.75/txts/README.pam_access on your RH distro) Configure this file the following way (line ordering matters) : -:ALL:your_special_machine +:ALL:ALL Then stack your modules as shown : auth sufficient /<yourpath>/pam_myself.so auth requisite /lib/security/pam_access.so auth required /lib/security/pam_unix.so auth required /lib/security/pam_deny.so When a user tries to log in and if the first module succeeds, the user is allowed. If not, the next module is examined. Since it is marked as 'requisite', its success is mandatory for the user to be allowed access. If so (-ie- the user does not come from your special machine), the next module is invoked and you are then back with good old pam_unix. If not, the user sees his login refused. I hope this is a correct answer to your problem, as far as security is concerned. Have a nice day. -- David
