Automate building group files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Recently I have come across the problem where the pam_krb5 module was
inserted after the pam_unix module:

account        requisite       pam_unix.so     try_first_pass
account        required        pam_krb5.so     use_first_pass

rather than something like this:

account         [success=1 default=ignore]      pam_krb5.so  try_first_pass
account         required        pam_unix.so

effectively locking out EVERYONE including root!

I was wondering if it was possible to describe PAM modules such that the
correct sequence could be generated automatically given a set of desired
modules.
I was thinking in the direction of the systemd service descriptions eg
specifying that a given module is only relevant for a specific set of groups
pam_access
    use ACCOUNT:required
pam_apparmor
    use SESSION:optional
pam_krb5
    use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient,
SESSION:optional
pam_unix
    use ACCOUNT:required, AUTH:required, PASSWORD:required, SESSION:required
pam_env
    use AUTH:required, SESSION:optional

and maybe also specifying that if one module is included, another one
must also be included ("requires", "wants") or defining some hierarchy
between modules.

That way
* a set of common group files (to be included) could be automatically
generated given a set of desired modules ("I want Kerberos
Authentication and some smartcard stuff if that is not available")
* a manually crafted set of group files could be checked for correctness
("module A is required for module B").

This is only a first thought ...

Josef

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux