dplist@free.fr wrote: > On Mon, 19 Aug 2002 17:35:06 +0300 > Tanel Kokk <tanel.kokk@eyp.ee> wrote: > > >>I have imap server and authentication is done by pam. Now I want >>implement such authentication schema: >> >>- users from ALL are authenticated by traditional pam module (like >>pam_unix.so) OR by ourself created pam module (lets call it >>pam_myself.so)- users from special machine are authenticated only by >>module pam_myself.so and BY NO MODULE ELSE! >> [skip] > Then stack your modules as shown : > > auth sufficient /<yourpath>/pam_myself.so > auth requisite /lib/security/pam_access.so > auth required /lib/security/pam_unix.so > auth required /lib/security/pam_deny.so > > When a user tries to log in and if the first module succeeds, the user > is allowed. If not, the next module is examined. Since it is marked as > 'requisite', its success is mandatory for the user to be allowed access. > If so (-ie- the user does not come from your special machine), the next > module is invoked and you are then back with good old pam_unix. If not, > the user sees his login refused. > > I hope this is a correct answer to your problem, as far as security is > concerned. > That is what I meant. Thanks a lot for answer! But we disovered a problem on policy I described earlier. If users from ALL authenticate themselves by pam_unix, then authenticate attempt will fail against pam_myself, of course. And several failure auth. attempt will cause account lock in our system. Therefore we have to change our policy: - authenticating from special machine is done ONLY by module pam_myself - authenticating from any other machines is done ONLY by module pam_unix any ideas? Tanel
