On Wed, 2003-10-22 at 10:00, Joe Lewis wrote: > Harold Martin wrote: > > >>Harold Martin wrote: > >>>>If hardened, and power cycled, do the accounts disappear? > >>> > >>>No, why would they? > >> > >>Because the accounts weren't hardened with the core system. You'd have > >>to have a persistent form of storing the accounts from powercycle to > >>powercycle - either that or a really trustworthy ups. > > > > I've really lost you here. > > My idea is jsut to copy a template account for the new user. > > This would then be all on the HD, right? > > So, the accounts are not really "hardened", then, just put on a hard > drive. I understand. Sorry for not clarifying that. > > For my purposes, local=someone typing on the physically attached > > keybaord and getting feedback through the physically attached display. > > A simple module would suffice using the pseudo-code you already wrote, > and then put it in the login.conf file in /etc/pam.d. Nothing else will > use the module to authenticate (ssh/telnet/mail), only a console text > login (X windows might need one, too, if you want to allow that, by > putting a reference to the module in the /etc/pam.d/[gkx]dm.conf files > (depends on if you are using gnome, kde, or regular X) for the login and > xscreensaver.conf for handling the screen savers. I plan on using X with GDM. I'd still like to allow some accounts to be ssh'd into. (Is this getting too complex? ;) ) Like I said before, I can't even write a "simple module", so I'd appreciate all the help I can get... Thanks, Harold > Joe > > > Thanks a ton, > > Harold > > > > > >>>>If you need a customized pam_module, any number of these guys around the > >>>>list will be able to help. I had to port the pam_mysql from Linux to > >>>>BSD, so I'm also able to help. > >>> > >>>Thanks a whole lot. :-D > >>> > >>>I noticed you didn't cc your last email to the list, so I'm not cc'ing > >>>this either... > >> > >>That was my mistake. > >> > >> > >>>Thanks, > >>>Harold > >>> > >>> > >>> > >>>>Harold Martin wrote: > >>>> > >>>> > >>>>>On Tue, 2003-10-21 at 14:01, Joe Lewis wrote: > >>>>> > >>>>> > >>>>> > >>>>>>Yes, though I'd have no clue as to why. The whole intent of PAM is to > >>>>>>make the security of a device more easily configurable, and just opening > >>>>>>the door for users to log in with a new user ID opens a LOT of security > >>>>>>holes. > >>>>> > >>>>> > >>>>>I'm open to suggestions (besides creating a special user to create > >>>>>users, which I've already ruled out). > >>>>> > >>>>>I'm putting it out as a system where there will be a limited set of > >>>>>people who will be allowed to access it. The computer itself will be > >>>>>hardened. The only apps that will be availible to users will be email, > >>>>>web, and cards (basically). Certainly no console access. > >>>>>I realize that with enough effort those outside of my given range of > >>>>>users could login. That it could be used for cracking. That users could > >>>>>bumble around and create 100 accounts for themselves. > >>>>>(The latter being the worst of my fears ;) ) > >>>>>But I have yet to see a better way... > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>If you have programming > >>>>>>skills, you can create a module that catches the pam_sm_authenticate > >>>>>>function, checks for the user, and if not found, creates the user and > >>>>>>returns success. > >>>>> > >>>>> > >>>>>I really don't have enough skills with PAM in specific (or C in general). > >>>>>And this system is supposed to be availible soon, so I really dn't have > >>>>>time to learn :( > >>>>>If someone wants to mentor me in programming such a module, I'd be > >>>>>extremly appreciative. > >>>>> > >>>>>Harold > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>>Is there any way I can use PAM to dynamically create a users, if the > >>>>>>>username doesn't exist? > >>>>>>>I've looked at creating a user whose sole purpose is to create users, > >>>>>>>but I don't want to do that. > >>>>>>> > >>>>>>>How can I get something like this working? > >>>>>>> > >>>>>>>Thanks, > >>>>>>>Harold > >>>>>>> > >>>>>>> > >>>>>>>_______________________________________________ > >>>>>>> > >>>>>>>Pam-list@xxxxxxxxxx > >>>>>>>https://www.redhat.com/mailman/listinfo/pam-list > >>>>>> > >> > >>_______________________________________________ > >> > >>Pam-list@xxxxxxxxxx > >>https://www.redhat.com/mailman/listinfo/pam-list > > > > > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
