Re: Dynamic users - project info

[Joe Lewis <joe@xxxxxxxxx>]

Okay, here's the steps to setting up the said system :

  1 - write (you or someone else) a module that will create the account 
if not already created.  The module checks for an account - if it 
exists, do not process it - if it doesn't exist, create it and return 
success.  The other PAM modules will allow it if the username exists and 
the password matches.
  2 - allow text console logins by adding a reference for the new 
module to /etc/pam.d/login.conf
  3 - allow GDM console logins by adding a reference for the new module 
to /etc/pam.d/gdm.conf
  4 - make sure any accounts needing ssh are in the usename/password 
file - once a console log in has been done, the account should later 
allow the user to ssh.

Okay, any of you guys out there have spare time to write a module?

Joe

Harold Martin wrote:

> On Wed, 2003-10-22 at 10:00, Joe Lewis wrote:
>
> > Harold Martin wrote:
> >
> >
> > > > Harold Martin wrote:
> > > >
> > > > > > If hardened, and power cycled, do the accounts disappear? 
> > > > >
> > > > > No, why would they?
> > > >
> > > > Because the accounts weren't hardened with the core system.  You'd have 
> > > > to have a persistent form of storing the accounts from powercycle to 
> > > > powercycle - either that or a really trustworthy ups.
> > >
> > > I've really lost you here.
> > > My idea is jsut to copy a template account for the new user.
> > > This would then be all on the HD, right?
> >
> > So, the accounts are not really "hardened", then, just put on a hard 
> > drive.  I understand.
>
> Sorry for not clarifying that.
>
> > > For my purposes, local=someone typing on the physically attached
> > > keybaord and getting feedback through the physically attached display.
> >
> > A simple module would suffice using the pseudo-code you already wrote, 
> > and then put it in the login.conf file in /etc/pam.d.  Nothing else will 
> > use the module to authenticate (ssh/telnet/mail), only a console text 
> > login (X windows might need one, too, if you want to allow that, by 
> > putting a reference to the module in the /etc/pam.d/[gkx]dm.conf files 
> > (depends on if you are using gnome, kde, or regular X) for the login and 
> > xscreensaver.conf for handling the screen savers.
>
> I plan on using X with GDM.
> I'd still like to allow some accounts to be ssh'd into.
> (Is this getting too complex? ;) )
> Like I said before, I can't even write a "simple module", so I'd
> appreciate all the help I can get...
>
> Thanks,
> Harold
>
>
> > Joe
> >
> >
> > > Thanks a ton,
> > > Harold
> > >
> > >
> > >
> > > > > > If you need a customized pam_module, any number of these guys around the 
> > > > > > list will be able to help.  I had to port the pam_mysql from Linux to 
> > > > > > BSD, so I'm also able to help.
> > > > >
> > > > > Thanks a whole lot. :-D
> > > > >
> > > > > I noticed you didn't cc your last email to the list, so I'm not cc'ing
> > > > > this either...
> > > >
> > > > That was my mistake.
> > > >
> > > >
> > > >
> > > > > Thanks,
> > > > > Harold
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > Harold Martin wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > > On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > Yes, though I'd have no clue as to why.  The whole intent of PAM is to 
> > > > > > > > make the security of a device more easily configurable, and just opening 
> > > > > > > > the door for users to log in with a new user ID opens a LOT of security 
> > > > > > > > holes.
> > > > > > >
> > > > > > >
> > > > > > > I'm open to suggestions (besides creating a special user to create
> > > > > > > users, which I've already ruled out).
> > > > > > >
> > > > > > > I'm putting it out as a system where there will be a limited set of
> > > > > > > people who will be allowed to access it. The computer itself will be
> > > > > > > hardened. The only apps that will be availible to users will be email,
> > > > > > > web, and cards (basically). Certainly no console access.
> > > > > > > I realize that with enough effort those outside of my given range of
> > > > > > > users could login. That it could be used for cracking. That users could
> > > > > > > bumble around and create 100 accounts for themselves.
> > > > > > > (The latter being the worst of my fears ;) )
> > > > > > > But I have yet to see a better way...
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > If you have programming 
> > > > > > > > skills, you can create a module that catches the pam_sm_authenticate 
> > > > > > > > function, checks for the user, and if not found, creates the user and 
> > > > > > > > returns success.
> > > > > > >
> > > > > > >
> > > > > > > I really don't have enough skills with PAM in specific (or C in general).
> > > > > > > And this system is supposed to be availible soon, so I really dn't have
> > > > > > > time to learn :(
> > > > > > > If someone wants to mentor me in programming such a module, I'd be
> > > > > > > extremly appreciative.
> > > > > > >
> > > > > > > Harold
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > > Is there any way I can use PAM to dynamically create a users, if the
> > > > > > > > > username doesn't exist?
> > > > > > > > > I've looked at creating a user whose sole purpose is to create users,
> > > > > > > > > but I don't want to do that.
> > > > > > > > >
> > > > > > > > > How can I get something like this working?
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Harold
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > >
> > > > > > > > > Pam-list@xxxxxxxxxx
> > > > > > > > > https://www.redhat.com/mailman/listinfo/pam-list
> > > > _______________________________________________
> > > >
> > > > Pam-list@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/pam-list


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list