Re: Automate building group files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Čt, 2016-10-27 at 15:10 +0200, Josef Moellers wrote:
> Recently I have come across the problem where the pam_krb5 module was
> inserted after the pam_unix module:
> 
> account        requisite       pam_unix.so     try_first_pass
> account        required        pam_krb5.so     use_first_pass
> 
> rather than something like this:
> 
> account         [success=1
> default=ignore]      pam_krb5.so  try_first_pass
> account         required        pam_unix.so
> 
> effectively locking out EVERYONE including root!
> 
> I was wondering if it was possible to describe PAM modules such that
> the
> correct sequence could be generated automatically given a set of
> desired
> modules.
> I was thinking in the direction of the systemd service descriptions
> eg
> specifying that a given module is only relevant for a specific set of
> groups
> pam_access
>     use ACCOUNT:required
> pam_apparmor
>     use SESSION:optional
> pam_krb5
>     use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient,
> SESSION:optional
> pam_unix
>     use ACCOUNT:required, AUTH:required, PASSWORD:required,
> SESSION:required
> pam_env
>     use AUTH:required, SESSION:optional
> 
> and maybe also specifying that if one module is included, another one
> must also be included ("requires", "wants") or defining some
> hierarchy
> between modules.
> 
> That way
> * a set of common group files (to be included) could be automatically
> generated given a set of desired modules ("I want Kerberos
> Authentication and some smartcard stuff if that is not available")
> * a manually crafted set of group files could be checked for
> correctness
> ("module A is required for module B").
> 
> This is only a first thought ...

This could only describe the "recommended" way to set up a module, but
it cannot be a hard limitation on its use.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)



_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux