On Wed, 21 Aug 2002 11:47:21 +0300 Tanel Kokk <tanel.kokk@eyp.ee> wrote: > dplist@free.fr wrote: > > On Mon, 19 Aug 2002 17:35:06 +0300 > > Tanel Kokk <tanel.kokk@eyp.ee> wrote: > > > > > >>I have imap server and authentication is done by pam. Now I want > >>implement such authentication schema: > >> > >>- users from ALL are authenticated by traditional pam module (like > >>pam_unix.so) OR by ourself created pam module (lets call it > >>pam_myself.so)- users from special machine are authenticated only by > >>module pam_myself.so and BY NO MODULE ELSE! > >> > > [skip] > > > Then stack your modules as shown : > > > > auth sufficient /<yourpath>/pam_myself.so > > auth requisite /lib/security/pam_access.so > > auth required /lib/security/pam_unix.so > > auth required /lib/security/pam_deny.so > > > > When a user tries to log in and if the first module succeeds, the > > user is allowed. If not, the next module is examined. Since it is > > marked as 'requisite', its success is mandatory for the user to be > > allowed access. If so (-ie- the user does not come from your special > > machine), the next module is invoked and you are then back with good > > old pam_unix. If not, the user sees his login refused. > > > > I hope this is a correct answer to your problem, as far as security > > is concerned. > > > > That is what I meant. Thanks a lot for answer! > > But we disovered a problem on policy I described earlier. If users > from ALL authenticate themselves by pam_unix, then authenticate > attempt will fail against pam_myself, of course. And several failure > auth. attempt will cause account lock in our system. Therefore we have > to change our policy: > > - authenticating from special machine is done ONLY by module > pam_myself- authenticating from any other machines is done ONLY by > module pam_unix > > any ideas? > > > Tanel > Maybe you should modify your pam_myself module to make it check whether the remote host is your special machine and fail if false. You could add a parameter to your module to pass the special machine's address, that could be helpful if you change it someday. Hoping this is true ... Have a nice day. -- David
