[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

severe deficiencies in our PAM setup

Ok, I was finally trying to read up on PAM to see how to package the kerberos
PAM module so everything works smoothly. As near as I can tell there's no way
to do this.

In debian each pam.d file is for a specific service and is populated with
pam_unix rules by default. There's no concept of the "standard" authentication
model for a system.

As a result it's easy to install new services, which debian does, but it's
impossible to configure a new authentication method. Even if the local system
administrator goes and edits every single pam.d to use the new authentication
method they get bitten badly every time they install a new service, and have a
painful upgrade every time they upgrade any of the services they edited.

I see two options, 

1) we make it policy that every package come with an _empty_ pam.d file and
   work properly with the standard debian other service definition.

2) A more comlicated but more powerful solution would be some way to define
   pseudo services like "standard" which can be specified as a module for
   other routines. Then we could prescribe that all services ship with the
   default being to inherit the standard authentication unless there's special
   requirements for it.

   I wonder if this can be implemented in pam without modifying the standard,
   all we need is a pam_inherit.so with an argument like "parent=foo" whch
   calls pam recusively with the service name "foo"

I think I would lean to the former, it's simpler and nearly good enough. I'm
not sure every module's current configuration could be emulated by a single
"other" configuration though.


Reply to: