Has anyone been able to work ons something like this? This is for a community project I'm doing, so I can't offer any money, sorry. Is there anything I can do to help get this done? Thanks, Harold On Wed, 2003-10-22 at 10:39, Joe Lewis wrote: > Okay, here's the steps to setting up the said system : > > 1 - write (you or someone else) a module that will create the account > if not already created. The module checks for an account - if it > exists, do not process it - if it doesn't exist, create it and return > success. The other PAM modules will allow it if the username exists and > the password matches. > 2 - allow text console logins by adding a reference for the new > module to /etc/pam.d/login.conf > 3 - allow GDM console logins by adding a reference for the new module > to /etc/pam.d/gdm.conf > 4 - make sure any accounts needing ssh are in the usename/password > file - once a console log in has been done, the account should later > allow the user to ssh. > > Okay, any of you guys out there have spare time to write a module? > > Joe > > Harold Martin wrote: > > > On Wed, 2003-10-22 at 10:00, Joe Lewis wrote: > > > >>Harold Martin wrote: > >> > >> > >>>>Harold Martin wrote: > >>>> > >>>>>>If hardened, and power cycled, do the accounts disappear? > >>>>> > >>>>>No, why would they? > >>>> > >>>>Because the accounts weren't hardened with the core system. You'd have > >>>>to have a persistent form of storing the accounts from powercycle to > >>>>powercycle - either that or a really trustworthy ups. > >>> > >>>I've really lost you here. > >>>My idea is jsut to copy a template account for the new user. > >>>This would then be all on the HD, right? > >> > >>So, the accounts are not really "hardened", then, just put on a hard > >>drive. I understand. > > > > Sorry for not clarifying that. > > > >>>For my purposes, local=someone typing on the physically attached > >>>keybaord and getting feedback through the physically attached display. > >> > >>A simple module would suffice using the pseudo-code you already wrote, > >>and then put it in the login.conf file in /etc/pam.d. Nothing else will > >>use the module to authenticate (ssh/telnet/mail), only a console text > >>login (X windows might need one, too, if you want to allow that, by > >>putting a reference to the module in the /etc/pam.d/[gkx]dm.conf files > >>(depends on if you are using gnome, kde, or regular X) for the login and > >>xscreensaver.conf for handling the screen savers. > > > > I plan on using X with GDM. > > I'd still like to allow some accounts to be ssh'd into. > > (Is this getting too complex? ;) ) > > Like I said before, I can't even write a "simple module", so I'd > > appreciate all the help I can get... > > > > Thanks, > > Harold > > > > > >>Joe > >> > >> > >>>Thanks a ton, > >>>Harold > >>> > >>> > >>> > >>>>>>If you need a customized pam_module, any number of these guys around the > >>>>>>list will be able to help. I had to port the pam_mysql from Linux to > >>>>>>BSD, so I'm also able to help. > >>>>> > >>>>>Thanks a whole lot. :-D > >>>>> > >>>>>I noticed you didn't cc your last email to the list, so I'm not cc'ing > >>>>>this either... > >>>> > >>>>That was my mistake. > >>>> > >>>> > >>>> > >>>>>Thanks, > >>>>>Harold > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>Harold Martin wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>On Tue, 2003-10-21 at 14:01, Joe Lewis wrote: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>Yes, though I'd have no clue as to why. The whole intent of PAM is to > >>>>>>>>make the security of a device more easily configurable, and just opening > >>>>>>>>the door for users to log in with a new user ID opens a LOT of security > >>>>>>>>holes. > >>>>>>> > >>>>>>> > >>>>>>>I'm open to suggestions (besides creating a special user to create > >>>>>>>users, which I've already ruled out). > >>>>>>> > >>>>>>>I'm putting it out as a system where there will be a limited set of > >>>>>>>people who will be allowed to access it. The computer itself will be > >>>>>>>hardened. The only apps that will be availible to users will be email, > >>>>>>>web, and cards (basically). Certainly no console access. > >>>>>>>I realize that with enough effort those outside of my given range of > >>>>>>>users could login. That it could be used for cracking. That users could > >>>>>>>bumble around and create 100 accounts for themselves. > >>>>>>>(The latter being the worst of my fears ;) ) > >>>>>>>But I have yet to see a better way... > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>If you have programming > >>>>>>>>skills, you can create a module that catches the pam_sm_authenticate > >>>>>>>>function, checks for the user, and if not found, creates the user and > >>>>>>>>returns success. > >>>>>>> > >>>>>>> > >>>>>>>I really don't have enough skills with PAM in specific (or C in general). > >>>>>>>And this system is supposed to be availible soon, so I really dn't have > >>>>>>>time to learn :( > >>>>>>>If someone wants to mentor me in programming such a module, I'd be > >>>>>>>extremly appreciative. > >>>>>>> > >>>>>>>Harold > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>>Is there any way I can use PAM to dynamically create a users, if the > >>>>>>>>>username doesn't exist? > >>>>>>>>>I've looked at creating a user whose sole purpose is to create users, > >>>>>>>>>but I don't want to do that. > >>>>>>>>> > >>>>>>>>>How can I get something like this working? > >>>>>>>>> > >>>>>>>>>Thanks, > >>>>>>>>>Harold > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>_______________________________________________ > >>>>>>>>> > >>>>>>>>>Pam-list@xxxxxxxxxx > >>>>>>>>>https://www.redhat.com/mailman/listinfo/pam-list > >>>>>>>> > >>>>_______________________________________________ > >>>> > >>>>Pam-list@xxxxxxxxxx > >>>>https://www.redhat.com/mailman/listinfo/pam-list > >>> > >>> > > > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
