The module you are looking for sounds like you are trying to perform a "allow unless the passwords don't match" thing, rather than a "allow if the passwords match".
Not really sure what you mean there. The logic is something like
if (user_exists) { if (password_is_correct) { login; } else { error; } } else { if (login_is_local) { create_user; login; } else { error; } }
Good re-state using pseudo-code.
If hardened, and power cycled, do the accounts disappear?
No, why would they?
Because the accounts weren't hardened with the core system. You'd have to have a persistent form of storing the accounts from powercycle to powercycle - either that or a really trustworthy ups.
How do you verify that a user (even if the account hasn't been created) is allowed to connect, even if the account isn't created?
Didn't think of that one, hence the login_is_local stuff above. Of course I don't know if testing if the login_is_local is possible. Refer to my first two statements in this email.
You can indeed test if the login is local, but to test that, there's got to be a method or a criteria for determining "local" vs. not. Perhaps you're looking for something that sets the password the first time someone logs in?
If you need a customized pam_module, any number of these guys around the list will be able to help. I had to port the pam_mysql from Linux to BSD, so I'm also able to help.
Thanks a whole lot. :-D
I noticed you didn't cc your last email to the list, so I'm not cc'ing this either...
That was my mistake.
Thanks, Harold
Harold Martin wrote:
On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:
Yes, though I'd have no clue as to why. The whole intent of PAM is to make the security of a device more easily configurable, and just opening the door for users to log in with a new user ID opens a LOT of security holes.
I'm open to suggestions (besides creating a special user to create users, which I've already ruled out).
I'm putting it out as a system where there will be a limited set of people who will be allowed to access it. The computer itself will be hardened. The only apps that will be availible to users will be email, web, and cards (basically). Certainly no console access. I realize that with enough effort those outside of my given range of users could login. That it could be used for cracking. That users could bumble around and create 100 accounts for themselves. (The latter being the worst of my fears ;) ) But I have yet to see a better way...
If you have programming skills, you can create a module that catches the pam_sm_authenticate function, checks for the user, and if not found, creates the user and returns success.
I really don't have enough skills with PAM in specific (or C in general). And this system is supposed to be availible soon, so I really dn't have time to learn :( If someone wants to mentor me in programming such a module, I'd be extremly appreciative.
Harold
Is there any way I can use PAM to dynamically create a users, if the username doesn't exist? I've looked at creating a user whose sole purpose is to create users, but I don't want to do that.
How can I get something like this working?
Thanks, Harold
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
