[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAMified login?



Marek Michalkiewicz writes:
>Michael K. Johnson:
>> good reason.  Is the shadow su somehow superior?  If so, how?
>
>The shadow su has a more general version of the "wheel group"
>feature - it allows detailed access control, who can su to which
>accounts, with the target user's password (default), no password,
>or the calling user's own password.

That should *all* be dealt with in modules, not in the program
calling the modules, IMHO.

>I'm not sure if this can be
>easily done with PAM (does it know both the old and the new user
>name?) - if it can, no problem.

It can get the current username, and it is given the new one in
the pamh structure, so yes, it has both.

>> However, I used his su as a base, as noted in the patches.  If
>> you want to see what I did, it is in the usual place:
>> ftp://ftp.redhat.com/pub/devel/pam/ -- sh-utils patch and SRPM are
>> both there.)
>
>Thanks.  I think I found one problem: I think it shouldn't fork
>and call pam_open_session and pam_close_session - it's not really
>a new session, just changing the UID temporarily.

OK.  I just copied Andrew's code for that.  Does anyone here have
any good reason to create a session?  If not, I'll gladly remove it
and simplify the patch.

>At least this
>is what su traditionally does: it doesn't change utmp.

I thought the list members had agreed that utmp/wtmp was not a PAM
issue and so all of my patches leave utmp/wtmp handling in the
application.

If session handling is supposed to do utmp/wtmp handling, we need
to put it there, and I've got to go fix all the applications that
I've just ported...  If it's not, then we need to define in our
documentation *exactly* what it is for.  The DCE-RFC doesn't, as
far as I can tell.

>> Well, presumably passwd will be replaced by a password module
>> and a standard PAM password program, right?
>
>Right - though the shadow passwd program can do more than just
>change passwords: it can be used by root to change password
>aging information, expire the password etc.  I'm not sure how
>we should deal with this.  Suggestions?  (Sun will have to deal
>with this too, their passwd has these features as well.)

The passwd program should change the authorization token through
PAM, and the aging, expiration, etc. information directly.  PAM
has no methods built in for changing anything other than auth
tokens.

>The shadow login has more features - while much of this
>functionality should be moved to the PAM modules, until then
>it is already there and can be used.

I think that's the wrong answer.  I think the right answer
is to put that functionality in the PAM modules, and until
then, not even to bother trying to do login.

>- login access control (/etc/login.access)
>- login time restrictions (/etc/porttime)

pam_time already exists.  Is it not sufficient?

>- login failure limits (account locked after the specified
>number of failures, unlocked again after specified time since
>last failure)
>- dialup passwords
>
>Is there any reason to use the util-linux login in preference
>to the shadow login, besides PAM-related issues? :-)

[Michael dons his Red Hat...]

It's what we use now, and it works.  There's no reason to change
except to move to PAM.  And if the shadow support in PAM is done
right, then it won't matter which login we use.

>On the other hand, it might be better to write the PAM login
>from scratch, without using either util-linux or shadow login
>sources, which have a long history behind them - but then, we
>need modules for the missing features before it can completely
>replace the shadow login...

Start with the modules.  That's something I can't help with; you
are the shadow expert.  Once all the correct modules are written,
then any login at all with generic PAM support will work.

Remember, we're trying to get PAM working, not shadow with some
random functionality done through PAM.  Putting shadow support
first is putting the cart before the horse, IMHO.

>Speaking of login: does anyone know if the vhangup() thing in
>the util-linux login is still necessary?

I have no idea.  Ted?

michaelkjohnson

"Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []