PAM Design Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have a couple of design questions..

Firstly, is there any guarantees (ie. Is it a documented standard) regarding the order that the pam framework calls the pam module functions? Can you safely assume across all platforms that it is in the order specified in the config file?

My second question regards perhaps extending login functionality, to perform account lockout upon failed authentication.. My initial reaction is that this should be possible through PAM, however to do this effectively you would need to know the return code from the entire module stack which is only visible to the calling application.

eg.
	Suppose there are 3 authentication modules:  mod_a, mod_b, mod_c

	login calls pam_authenticate() .

			pam_authenticate() - > PAM_STACK   -> mod_a: pam_sm_authenticate()
-> mod_b: pam_sm_authenticate() -> mod_c: pam_sm_authenticate() return FAILURE

			pam_authenticate()  <- FAILURE

The failure code is passed back to login by the PAM_STACK framework, no other module is aware of this unless I've missed something fundamental!

Perhaps this is outside the design goals for PAM, however it strikes me that it would be quite neat to permit a pam module to register a callback against any of the function types (pam_sm_authenticate etc), and then for the PAM_STACK framework to call these functions with the overall return code.

This would then enable the following flow:-

	login calls pam_authenticate() .

			pam_authenticate() - > PAM_STACK   -> mod_a: pam_sm_authenticate()
														 -> pam_set_callback(mod_a_authenticate_exit);
-> mod_b: pam_sm_authenticate() -> pam_set_callback (mod_b_authenticate_exit);
											      -> mod_c: pam_sm_authenticate()  return FAILURE
								
											     -> mod_a_authenticate_exit(FAILURE)
											     -> mod_b_authenticate_exit(FAILURE)
			pam_authenticate()  <- FAILURE	


thoughts?

Rich

	

	

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux