On Fri, Mar 14, 2003 at 02:14:12AM +0100, Tim Dijkstra wrote: > I agree something has to be done here, but using the 'other' file as a > catch-all doesn't seem to be the solution to me. > I vaguely remember that on a RedHat box there was a module (I > think called pam_stack.so) that could be used to 'call' another pam > service. Something along the lines of: > /etc/pam.d/ssh: > auth required pam_stack.so call login > session required do some special ssh stuff > session required pam_stack.so call login > . > . > /etc/pam.d/login: > auth required do login > session required .... > Well you got the point. But I also vaguely remember there was something > wrong with this according to the security experts, don't remember > what... It creates a separate pam stack for each set of calls, making it impossible to share information between the authentication and authorization stacks, for example. I understand that Linux-PAM supports a straightforward $include syntax that could be used in place of pam_stack, to much better effect. The place to start is by patching libpam0g to provide suitable config snippets that can be included by applications. -- Steve Langasek postmodern programmer
Attachment:
pgpj5KBO9189c.pgp
Description: PGP signature