Re: Is it too late to try and generalize PAM for woody?

To: debian-devel@lists.debian.org
Subject: Re: Is it too late to try and generalize PAM for woody?
From: Daniel Martin <dtmartin24@home.com>
Date: 26 Jun 2001 15:17:54 -0400
Message-id: <[🔎] 871yo7oxst.fsf@cush.martinhouse.internal>
In-reply-to: <[🔎] Pine.LNX.4.30.0106261234260.30711-100000@tennyson.netexpress.net>
References: <[🔎] Pine.LNX.4.30.0106261234260.30711-100000@tennyson.netexpress.net>

I've been following this thread and I have a small question as to why
we'd need to overload/change the semantics of the /etc/pam.d/other
file.

Why not merely build a new pam module, called something like
pam_chain, that does nothing but invoke other pam modules as specified
in its configuration?  To get an example of what I mean:

In /etc/pam.d/ssh:
auth     required pam_chain.so chain=default
account  required pam_chain.so chain=default
session  required pam_chain.so chain=default
password required pam_chain.so chain=default

Then, in /etc/security/pam_chain.d/default (Or a better file name -
I'm open to suggestions), we'd have:

auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so

account    required     pam_unix.so
account    required     pam_access.so

session    required     pam_unix.so
session    optional     pam_lastlog.so
session    optional     pam_motd.so
session    optional     pam_mail.so standard
session    required     pam_limits.so

password   required     pam_unix.so

In other words, pam_chain would be a pam module that would read an
alternate configuration, and parse it just as libpam does.  This
should be functionally equivalent to having a C-style #include
facility in pam files, yet it has the distinct advantage of not
requiring changes to the overall way that pam works, and of
maintaining some measure of compatibility upstream.

We could even write pam_chain to do fallback chains, so that you could
have /etc/pam.d/ssh say:

auth required pam_chain.so chain=ssh,encryptednet,interactive,default

and that would mean that pam_chain.so would first try to find an "ssh"
chain, then a chain called "encryptednet" (presumably for ssh and any
other encrypted channel), then an "interactive" chain, and finally
fall back to the default chain.  This could allow the sysadmin to
specify their pam options in a nice hierarchy, assuming we can trust
Debian developers to build up such a hierarchy.

(Add other syntax for pam_chain here - concatenating chains, allowing
one chain to say "act as though I'm not here", etc.)

Of course, this whole solution depends on my understanding of the main
problem with the current pam setup - have I missed some of what we
want to do that would not make this solution workable?

Reply to:

Follow-Ups:
- Re: Is it too late to try and generalize PAM for woody?
  - From: Sam Hartman <hartmans@debian.org>
- Re: Is it too late to try and generalize PAM for woody?
  - From: Steve Langasek <vorlon@netexpress.net>

References:
- Re: Is it too late to try and generalize PAM for woody?
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: Is it too late to try and generalize PAM for woody?
Next by Date: Re: chkconfig packages for testing (will ITP soon)
Previous by thread: Re: Is it too late to try and generalize PAM for woody?
Next by thread: Re: Is it too late to try and generalize PAM for woody?
Index(es):
- Date
- Thread