Philip Yarra <philip.yarra@xxxxxxxxxxxxxxxx> wrote: >> The only slight problem is that pam_abl will only run as root but I also >> wanted to use it to protect httpd and php authentications which run as >> apache - so I removed the root check from the source code and made the >> database files world accessible. >Hmmm... I think your approach makes sense. The group idea is good. The only problem with that is pam authentication under php runs as the current user - so, without pam_abl, I could potentially have a user on the system launch an attack but not be blocked. Thus, I think I'm stuck with world accessible files for now (Not that I like it though). >> I'd recommend that you give pam_abl a go! If you need a hand to get it >> working with services that authenticate while non-root, let me know and >> I'll send you details of my modification. >Have you considered contributing it as a patch? I can do - it's really nothing as I only commented three or so lines out. >Actually, my case is a bit easier, the only service I offer with auth is >SSH, and at present I've simply firewalled off everything except 2 IPs. That definitely makes things much easier! :-) Thinking about it, have you considered public/private key authentication? I use it on my system to restrict shell access - everyone with a password is just left with file transfers using scponlyc. >I really prefer to block access at the network level, so I've been looking >at what would be involved in using a libipq app to look up allowed dynamic >DNS host names (yeah, I'm on no-ip.org too :-) ) for incoming SYN packets >and see if they currently resolve to the the incoming IP address. If so, >allow the TCP connection, else DROP. That, combined with pam_abl would be >pretty formidable. Could that be vulnerable to password attacks on no-ip or even DNS poisoning? I was initially attracted to the idea of combining pam_abl with blocking at the network level, but I now feel that I would prefer the attacks to get through to pam_abl - at least then the attacker will have no idea that they are blocked and if they stumble upon the right password it will just (hopefully) be refused by pam_abl and they will continue searching! >Now, spare time? That's the issue. I'll give it a go when I can. Tell me about it! :-/ >I think the root-only auth will be okay. You made me think though... your >situation is analogous to shadow passwords in some ways. Would suid root >code be a way to handle this need to auth non-root users? I thought about that, but I'm not sure whether I can do it within modules... It's been a long while since I did any serious C programming and I've got a fair bit of reading up to do yet... I'm making my way through the pam programmers guide and will then dust off my linux programming guide! Ah-ha! I've just realised that, as you pointed out, is exactly what happens with the shadow password so it is definitely possible! Hopefully all will become clear soon... -- Benjamin benjamin@xxxxxxxxxxxxxxxxxxxx _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
