[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Dynamically creating users if !exist



On Wed, 2003-10-22 at 08:40, Joe Lewis wrote:
> Harold Martin wrote:
> >>The module you are looking for sounds like you 
> >>are trying to perform a "allow unless the passwords don't match" thing, 
> >>rather than a "allow if the passwords match".
> > 
> > Not really sure what you mean there. The logic is something like
> > 
> > if (user_exists) {
> > 	if (password_is_correct) {
> > 		login;
> > 	}
> > 	else {
> > 		error;
> > 	}
> > }
> > else {
> > 	if (login_is_local) {
> > 		create_user;
> > 		login;
> > 	}
> > 	else {
> > 		error;
> > 	}
> > }
> 
> Good re-state using pseudo-code.
> >>If hardened, and power cycled, do the accounts disappear? 
> > 
> > No, why would they?
> 
> Because the accounts weren't hardened with the core system.  You'd have 
> to have a persistent form of storing the accounts from powercycle to 
> powercycle - either that or a really trustworthy ups.
I've really lost you here.
My idea is jsut to copy a template account for the new user.
This would then be all on the HD, right?
> >>  How do you verify that a user (even if the account hasn't been 
> >>created) is allowed to connect, even if the account isn't created?
> > 
> > Didn't think of that one, hence the login_is_local stuff above.
> > Of course I don't know if testing if the login_is_local is possible.
> > Refer to my first two statements in this email.
> 
> You can indeed test if the login is local, but to test that, there's got 
> to be a method or a criteria for determining "local" vs. not.  Perhaps 
> you're looking for something that sets the password the first time 
> someone logs in?
For my purposes, local=someone typing on the physically attached
keybaord and getting feedback through the physically attached display.

Let me know what you think...

Thanks a ton,
Harold

> >>If you need a customized pam_module, any number of these guys around the 
> >>list will be able to help.  I had to port the pam_mysql from Linux to 
> >>BSD, so I'm also able to help.
> > 
> > Thanks a whole lot. :-D
> > 
> > I noticed you didn't cc your last email to the list, so I'm not cc'ing
> > this either...
> 
> That was my mistake.
> 
> > Thanks,
> > Harold
> > 
> > 
> >>Harold Martin wrote:
> >>
> >>>On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:
> >>>
> >>>
> >>>>Yes, though I'd have no clue as to why.  The whole intent of PAM is to 
> >>>>make the security of a device more easily configurable, and just opening 
> >>>>the door for users to log in with a new user ID opens a LOT of security 
> >>>>holes.
> >>>
> >>>
> >>>I'm open to suggestions (besides creating a special user to create
> >>>users, which I've already ruled out).
> >>>
> >>>I'm putting it out as a system where there will be a limited set of
> >>>people who will be allowed to access it. The computer itself will be
> >>>hardened. The only apps that will be availible to users will be email,
> >>>web, and cards (basically). Certainly no console access.
> >>>I realize that with enough effort those outside of my given range of
> >>>users could login. That it could be used for cracking. That users could
> >>>bumble around and create 100 accounts for themselves.
> >>>(The latter being the worst of my fears ;) )
> >>>But I have yet to see a better way...
> >>>
> >>>
> >>>
> >>>>If you have programming 
> >>>>skills, you can create a module that catches the pam_sm_authenticate 
> >>>>function, checks for the user, and if not found, creates the user and 
> >>>>returns success.
> >>>
> >>>
> >>>I really don't have enough skills with PAM in specific (or C in general).
> >>>And this system is supposed to be availible soon, so I really dn't have
> >>>time to learn :(
> >>>If someone wants to mentor me in programming such a module, I'd be
> >>>extremly appreciative.
> >>>
> >>>Harold
> >>>
> >>>
> >>>
> >>>
> >>>>>Is there any way I can use PAM to dynamically create a users, if the
> >>>>>username doesn't exist?
> >>>>>I've looked at creating a user whose sole purpose is to create users,
> >>>>>but I don't want to do that.
> >>>>>
> >>>>>How can I get something like this working?
> >>>>>
> >>>>>Thanks,
> >>>>>Harold
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>Pam-list mailing list
> >>>>>Pam-list redhat com
> >>>>>https://www.redhat.com/mailman/listinfo/pam-list
> >>>>
> > 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]