Hello all PAM-people!
I'm creating a special service that allows users access to a chrooted file-area through 3 different protocols, and I need some suggestions from you experts.
The goal is to let users use any of these protocols : HTTPS/FTP/SSH2(sftp only) to get access to the same chrooted file-area (/), where they can do uploads/downloads.
The users don't have any shell access at all (I'm using restrictedshell(rssh)) to deny shell access to ssh-users.
At the moment, each service has different account databases, namely:
/etc/passwd for proftpd (with chroot-function), deny users are set in /etc/ftpusers
/data/etc/passwd (for chrooted sftp-users), deny users are set in /etc/ssh/sshd_config, DenyUsers
/opt/apache/.htpasswd-users for apache users.
Now as you can see, administering users is not trivial.
I have made a special script that uses useradd to add the user to the local system, and it automatically edits these configuration files to disable/enable access for each service (ftp,https,sftp)
As another option for sftp-users, they can choose between using asymmetric key login (public/private key) or password (for manual logins). Since most of the users have system-batch jobs accessing the sftp-service, they need keylogins to authenticate, since adding ssh-passwords arent supported in scripts (for safety reasons).
It has turned out this user-administration is bad because a single edit-error could destroy a whole userdatabase.
Another issue is that having /etc/passwd as a userdatabase allows system accounts to be exposed and brute-force attacked.
So I have been looking for a new way to implement this service, and came to the conclusion PAM would solve this!
Something like this:
Apache service (HTTPS) -> login form -> PAM module 1 -> central password database
Proftpd service (FTP) -> login prompt -> PAM module 2 -> central password database
SSH service (SFTP only) -> login prompt -> PAM module 3 -> central password database
A future service is FTP over SSL:
FTP SSL service -> login prompt -> PAM module 4 -> central password database
Central password database could be a Cisco Secure RADIUS or LDAP-server or mysql-database, depends which will work best :-)
A requirement is that the database would have to contain a access-column for each user , HTTPS/FTP/SFTP and that all logins are logged in a single log.
Is there ANY way to implement this without having to add local user unix-accounts?
As I have understood most of the PAM-auth modules give 0 or 1 for answer, 1 for login successful. It does not say which rights the user has.
Also I wonder if ssh-sftp-public-key login will work without a local user??
Can anyone guide me on this?
Sorry for a very long post, I hope anyone has time to help. I will quickly answer all your replies.
I have been looking at: pam_radius, pam_tacplus, pam_mysql, mod_auth_shadow for apache and php-pam (for PHP)
Cheers,
Magnus
System:
Solaris 8
Apache 1.3.x
OpenSSH 3.7.1p2 with my own sftp-chroot-patch
Proftpd 1.2.8
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
