Automate building group files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Recently I have come across the problem where the pam_krb5 module was
inserted after the pam_unix module:

account        requisite     try_first_pass
account        required     use_first_pass

rather than something like this:

account         [success=1 default=ignore]  try_first_pass
account         required

effectively locking out EVERYONE including root!

I was wondering if it was possible to describe PAM modules such that the
correct sequence could be generated automatically given a set of desired
I was thinking in the direction of the systemd service descriptions eg
specifying that a given module is only relevant for a specific set of groups
    use ACCOUNT:required
    use SESSION:optional
    use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient,
    use ACCOUNT:required, AUTH:required, PASSWORD:required, SESSION:required
    use AUTH:required, SESSION:optional

and maybe also specifying that if one module is included, another one
must also be included ("requires", "wants") or defining some hierarchy
between modules.

That way
* a set of common group files (to be included) could be automatically
generated given a set of desired modules ("I want Kerberos
Authentication and some smartcard stuff if that is not available")
* a manually crafted set of group files could be checked for correctness
("module A is required for module B").

This is only a first thought ...


Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux