[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Dynamic users - project info



I think you can do this:

- setup a central ldap server with openldap
- setup a web site where users can create new account
- create the user in the ldap server from the web site
- configure each Linux workstation to use the ldap server
- use the pam module to create home directories on the fly on each workstation

All this can be donde without doing any hacking to pam, but is just a sugestion.

HTH
Oliver

Harold Martin wrote:
Has anyone been able to work ons something like this?
This is for a community project I'm doing, so I can't offer any money,
sorry.
Is there anything I can do to help get this done?

Thanks,
Harold


On Wed, 2003-10-22 at 10:39, Joe Lewis wrote:
  
Okay, here's the steps to setting up the said system :

   1 - write (you or someone else) a module that will create the account 
if not already created.  The module checks for an account - if it 
exists, do not process it - if it doesn't exist, create it and return 
success.  The other PAM modules will allow it if the username exists and 
the password matches.
   2 - allow text console logins by adding a reference for the new 
module to /etc/pam.d/login.conf
   3 - allow GDM console logins by adding a reference for the new module 
to /etc/pam.d/gdm.conf
   4 - make sure any accounts needing ssh are in the usename/password 
file - once a console log in has been done, the account should later 
allow the user to ssh.

Okay, any of you guys out there have spare time to write a module?

Joe

Harold Martin wrote:

    
On Wed, 2003-10-22 at 10:00, Joe Lewis wrote:

      
Harold Martin wrote:


        
Harold Martin wrote:

            
If hardened, and power cycled, do the accounts disappear? 
                
No, why would they?
              
Because the accounts weren't hardened with the core system.  You'd have 
to have a persistent form of storing the accounts from powercycle to 
powercycle - either that or a really trustworthy ups.
            
I've really lost you here.
My idea is jsut to copy a template account for the new user.
This would then be all on the HD, right?
          
So, the accounts are not really "hardened", then, just put on a hard 
drive.  I understand.
        
Sorry for not clarifying that.

      
For my purposes, local=someone typing on the physically attached
keybaord and getting feedback through the physically attached display.
          
A simple module would suffice using the pseudo-code you already wrote, 
and then put it in the login.conf file in /etc/pam.d.  Nothing else will 
use the module to authenticate (ssh/telnet/mail), only a console text 
login (X windows might need one, too, if you want to allow that, by 
putting a reference to the module in the /etc/pam.d/[gkx]dm.conf files 
(depends on if you are using gnome, kde, or regular X) for the login and 
xscreensaver.conf for handling the screen savers.
        
I plan on using X with GDM.
I'd still like to allow some accounts to be ssh'd into.
(Is this getting too complex? ;) )
Like I said before, I can't even write a "simple module", so I'd
appreciate all the help I can get...

Thanks,
Harold


      
Joe


        
Thanks a ton,
Harold



          
If you need a customized pam_module, any number of these guys around the 
list will be able to help.  I had to port the pam_mysql from Linux to 
BSD, so I'm also able to help.
                
Thanks a whole lot. :-D

I noticed you didn't cc your last email to the list, so I'm not cc'ing
this either...
              
That was my mistake.



            
Thanks,
Harold




              
Harold Martin wrote:



                
On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:




                  
Yes, though I'd have no clue as to why.  The whole intent of PAM is to 
make the security of a device more easily configurable, and just opening 
the door for users to log in with a new user ID opens a LOT of security 
holes.
                    
I'm open to suggestions (besides creating a special user to create
users, which I've already ruled out).

I'm putting it out as a system where there will be a limited set of
people who will be allowed to access it. The computer itself will be
hardened. The only apps that will be availible to users will be email,
web, and cards (basically). Certainly no console access.
I realize that with enough effort those outside of my given range of
users could login. That it could be used for cracking. That users could
bumble around and create 100 accounts for themselves.
(The latter being the worst of my fears ;) )
But I have yet to see a better way...





                  
If you have programming 
skills, you can create a module that catches the pam_sm_authenticate 
function, checks for the user, and if not found, creates the user and 
returns success.
                    
I really don't have enough skills with PAM in specific (or C in general).
And this system is supposed to be availible soon, so I really dn't have
time to learn :(
If someone wants to mentor me in programming such a module, I'd be
extremly appreciative.

Harold






                  
Is there any way I can use PAM to dynamically create a users, if the
username doesn't exist?
I've looked at creating a user whose sole purpose is to create users,
but I don't want to do that.

How can I get something like this working?

Thanks,
Harold


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list
                      
_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list
            
          


_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list
  

-- 
Oliver Schulze L.
<oliver samera com py>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]