[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

The current (not existing) PAM policy


It seems to me that the way most packages thst use PAM for authentication
purposes, do it wrong. Currently each of these packages install a file
called /etc/pam.d/<package>. This file is then used by PAM to
authenticate users, accessing this package. Most of these files look
quite similar:

  auth      required    pam_unix.so
  account   required    pam_unix.so
  session   required    pam_unix.so
  password  required    pam_unix.so

Some packages contain more items or more comments, but they basic setup is
the same.

I think the current solution is wrong for several reasons:

 * This current setup is inconsitent. As I mentioned before, some
   package's setup differs slightly from that of others. This means, for
   example, that people changing their password through passwd might be
   subject to more limitations than people changing it through Samba.[1]
   Please have a look at the files in your /etc/pam.d directory to see
   what I mean.
 * With the current setup, an administrator who wishes to use a separate
   setup or different modules, has to change all the PAM files in
   /etc/pam.d by hand, looking for possible pitfalls. After installing a
   new package that uses PAM authentication, another PAM file must be
   configured. (If the admin knows that the package contains a PAM file,
   that is.)
 * The way it's currently done might even be harmful. Consider a system
   that gets its users information from LDAP, but only a selected group
   the users in the database is allowed access. This is configured using
   a custom module and works fine. Now the administrator decides to
   install the ssh package. SSH will put another default PAM into
   /etc/pam.d, allowing *every* user to connect, by means of the
   pam_unix.so module.

The solution to this is quite simple: Every package that comes with PAM
support should not install a valid PAM file in /etc/pam.d. Instead it
should come with an example file, maybe called /etc/pam.d/<package>.ex.
If the administrator wishes to use a custom configuration for this
package, he can edit this file and rename it properly. Otherwise the
default configuration in /etc/pam.d/other will get used automatically.
This would allow administrator to edit only one file, which will get
used by all PAM using packages.


 - Sebastian

[1] Please note that these are only examples. I've not researched,
    whether this is really the case in the passwd vs. Samba case.

Reply to: