Re: Automate building group files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Čt, 2016-10-27 at 15:10 +0200, Josef Moellers wrote:
> Recently I have come across the problem where the pam_krb5 module was
> inserted after the pam_unix module:
> account        requisite     try_first_pass
> account        required     use_first_pass
> rather than something like this:
> account         [success=1
> default=ignore]  try_first_pass
> account         required
> effectively locking out EVERYONE including root!
> I was wondering if it was possible to describe PAM modules such that
> the
> correct sequence could be generated automatically given a set of
> desired
> modules.
> I was thinking in the direction of the systemd service descriptions
> eg
> specifying that a given module is only relevant for a specific set of
> groups
> pam_access
>     use ACCOUNT:required
> pam_apparmor
>     use SESSION:optional
> pam_krb5
>     use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient,
> SESSION:optional
> pam_unix
>     use ACCOUNT:required, AUTH:required, PASSWORD:required,
> SESSION:required
> pam_env
>     use AUTH:required, SESSION:optional
> and maybe also specifying that if one module is included, another one
> must also be included ("requires", "wants") or defining some
> hierarchy
> between modules.
> That way
> * a set of common group files (to be included) could be automatically
> generated given a set of desired modules ("I want Kerberos
> Authentication and some smartcard stuff if that is not available")
> * a manually crafted set of group files could be checked for
> correctness
> ("module A is required for module B").
> This is only a first thought ...

This could only describe the "recommended" way to set up a module, but
it cannot be a hard limitation on its use.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux