Re: The current (not existing) PAM policy
On Fri, 14 Mar 2003 00:45:59 +0100
Sebastian Rittau <srittau@jroger.in-berlin.de> wrote:
>
> * With the current setup, an administrator who wishes to use a
> separate
> setup or different modules, has to change all the PAM files in
> /etc/pam.d by hand, looking for possible pitfalls. After installing
> a new package that uses PAM authentication, another PAM file must
> be configured. (If the admin knows that the package contains a PAM
> file, that is.)
I was caught by this often, for each new box again :(
> The solution to this is quite simple: Every package that comes with
> PAM support should not install a valid PAM file in /etc/pam.d. Instead
> it should come with an example file, maybe called
> /etc/pam.d/<package>.ex. If the administrator wishes to use a custom
> configuration for this package, he can edit this file and rename it
> properly. Otherwise the default configuration in /etc/pam.d/other will
> get used automatically. This would allow administrator to edit only
> one file, which will get used by all PAM using packages.
I agree something has to be done here, but using the 'other' file as a
catch-all doesn't seem to be the solution to me.
I vaguely remember that on a RedHat box there was a module (I
think called pam_stack.so) that could be used to 'call' another pam
service. Something along the lines of:
/etc/pam.d/ssh:
auth required pam_stack.so call login
session required do some special ssh stuff
session required pam_stack.so call login
.
.
/etc/pam.d/login:
auth required do login
session required ....
Well you got the point. But I also vaguely remember there was something
wrong with this according to the security experts, don't remember
what...
grts Tim
Reply to: