Recently I have come across the problem where the pam_krb5 module was
inserted after the pam_unix module:
account requisite pam_unix.so try_first_pass
account required pam_krb5.so use_first_pass
rather than something like this:
account [success=1 default=ignore] pam_krb5.so try_first_pass
account required pam_unix.so
effectively locking out EVERYONE including root!
I was wondering if it was possible to describe PAM modules such that the
correct sequence could be generated automatically given a set of desired
modules.
I was thinking in the direction of the systemd service descriptions eg
specifying that a given module is only relevant for a specific set of groups
pam_access
use ACCOUNT:required
pam_apparmor
use SESSION:optional
pam_krb5
use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient,
SESSION:optional
pam_unix
use ACCOUNT:required, AUTH:required, PASSWORD:required, SESSION:required
pam_env
use AUTH:required, SESSION:optional
and maybe also specifying that if one module is included, another one
must also be included ("requires", "wants") or defining some hierarchy
between modules.
That way
* a set of common group files (to be included) could be automatically
generated given a set of desired modules ("I want Kerberos
Authentication and some smartcard stuff if that is not available")
* a manually crafted set of group files could be checked for correctness
("module A is required for module B").
This is only a first thought ...
Josef
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
