[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severe deficiencies in our PAM setup

Jason Gunthorpe <jgg@ualberta.ca> writes:

> On Sat, 23 Sep 2000, Joey Hess wrote:
> > > As a result it's easy to install new services, which debian does, but it's
> > > impossible to configure a new authentication method. Even if the local system
> > > administrator goes and edits every single pam.d to use the new authentication
> > > method they get bitten badly every time they install a new service, and have a
> > > painful upgrade every time they upgrade any of the services they edited.
> > 
> > Yeah, this has bitten me too. Say I want to set up reosurce limits -- I
> > have to add pam_limits.so to a bunch of files. Similarly if I want md5
> > passwords...
> Me too with the mk_homedir module.. It sucks.
> The other annoying thing is that all the pam.d's are different - that
> doesn't seem to make much sense to me..

Redhat has added the pam_stack module for this reason: you can configure every
service to use pam_stack which relies on another central configuration file
which describe which pam modules to use. For example, in /etc/pam.d/su, you
have on such system:

auth       sufficient   /lib/security/pam_rootok.so
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_xauth.so

and in the central /etc/pam.d/system-auth :

auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 shadow
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_unix.so

Fred - May the source be with you

Reply to: