On Wed, Apr 16, Tomas Mraz wrote: > On Wed, 2008-04-16 at 18:58 +0300, Lassi Pölönen wrote: > > Hi, > > > > I've been trying to implement netgroup based centralized authentication > > control with pam. The downside of using pam_access with @users@@hosts > > syntax is that when you have a group of users and group of hosts, it > > seems all the users are allowed to log in to those hosts in defined > > group. Therefor that requires configuration on every host - a host has > > to know which group to honor. pam_acces doesn't seem to check the host > > entry in triple neither. > > This could be added to pam_access - we could use the current @netgroup > match in the user field and supply the local machine name as the host > parameter of innetgr(). This would have to be enabled by module option > so it doesn't break old configurations though. Or we could add another > prefix character syntax for this kind of netgroup match. With the change to the LOCAL keyword we will do already, I don't think that a parameter or another prefix character are necessary. The current pam_access behavior is wrong in regard to how netgroups are designed. Strictly spoken, we could even classify the current behavior as security problem. For Linux-PAM 1.1, we should change the innetgr call and supply the local hostname. Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
