[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_login_access vs. pam_access (fwd)

Hi again,

because I don't know whether my patch for pam_access module (please
have a look at forwarded message but without patch) will be accepted
by list moderator or not (message was too large, larger than 40kB
because patch size is 100735 bytes) I post it again but now in 5
pieces in messages with subject: "pam_access patch part X of 5"

I hope this code finds the way into official distribution of

Best regards,

short description:
These patches enable:
 * convert_hostname feature
 * IPv4(/)  IPv6  support
 * the network(address) / netmask feature
 * external helper feature
 * manual support

1) patches which content changes to configuration file

2) patches which enable manual stuff for PAM itself

3) patches with examples or other documatation stuff

4) patches for check_login_access test program

5) the patch again old version of pam_access.c (gzipped because it is
   60kB) which enable the new features and does the code rearrangement.

---------- Forwarded message ----------
Date: Tue, 3 Jan 2006 23:23:49 +0100 (CET)
From: Mike Becher <Mike Becher lrz-muenchen de>
To: Pluggable Authentication Modules <pam-list redhat com>
Subject: Re: pam_login_access vs. pam_access

On Mon, 12 Dec 2005, Thorsten Kukuk wrote:

> On Sat, Dec 10, Mike Becher wrote:
> > Hi,
> > 
> > I have found a module pam_access in Linux-PAM which implements the same 
> > functionallity like the `original' version of pam_login_access from other 
> > platforms like Free BSD or OpenBSD. Additionally we use a pam_login_access 
> > module for Linux on the following sites: TU Chemnitz (Technical 
> > University Chemnitz, Germany) and LRZ (Leibniz Computing Centre, Munich. 
> > Germany).
> > But there is a problem:
> > /etc/security/access.conf is used by pam_access as the default 
> > config file and /etc/login.access is used by pam_login_access. So you 
> > can't transparently substituted one module through the other.
> > Additionally the `new' pam_login_access module developed by Thomas Mueller 
> > (a college from TUC) and me provides enhancements for example like:
> >  * convert hostname to ip address support
> >  * IPv4(/) IPv6 support
> >  * network(address) / netmask support
> > which are not part of the pam_access and the `original' pam_login_access 
> > module (If you want know more about that please have a look at 
> > http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3 ).
> > 
> > Now I work on an integration of this module code into Linux-PAM and don't 
> > know what is the better solution. Is it better to provide an additional 
> > module pam_login_access with its own code tree, or to enhance existing 
> > pam_access code with the new features and build two different modules 
> > at compile time where one will then be pam_access and the second will be 
> > pam_login_access. What's the consensus?
> I see two possibilities:
> 1. maintain the pam_login_access code outside of Linux-PAM at your
>    own. Gives you a lot of more freedom, and there are a lot of
>    people doing this, too. Including me.
> 2. Enhance the current pam_access module to support the new functionality
>    with /etc/security/access.conf. But don't make two different modules
>    at compile time from it.
>   Thorsten
I'm back from holiday and have done some coding after I have read this 
mail ;-). Thanks to Thorsten for his comments.

I have decided that I want do both. So I have enhanced the existing 
pam_access module code and have done `some' code rearrangement. Now it is 
possible for me to put the pam_access code into pam_login_access source 
framework and compile it as standalone package. The new pam_login_access 
package version 1.2.0 is available on 
But this may not really of interest for the Linux-PAM project.

Additionally I have added a new feature to the pam_access code to be able 
to call an external helper executable or script, to let it decide if access 
is granted to a service or not. This may be a nice feature for example if 
someone want manage access to cluster nodes where the node is managed by 
a batch system like SGE or OpenPBS.

Furthermore I have added manual pages for pam_access, access.conf and 

The check_login_access program is mainly for administrators to be able to 
check syntax and semantic of a supplied access control table and/or the 
helper script.

And here is a patch to enable all this.

Best regards,
 Mike Becher                              Mike Becher lrz-muenchen de
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-289-28721      
 Gruppe Hochleistungssysteme              fax:   +49-89-280-9460
 Barer Strasse 21                    
 D-80333 Muenchen

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]