[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_login_access vs. pam_access (fwd)



Hi again,

because I don't know whether my patch for pam_access module (please
have a look at forwarded message but without patch) will be accepted
by list moderator or not (message was too large, larger than 40kB
because patch size is 100735 bytes) I post it again but now in 5
pieces in messages with subject: "pam_access patch part X of 5"

I hope this code finds the way into official distribution of
Linux-PAM.

Best regards,
  Mike

short description:
-----------------
                                                                                                                                                          
These patches enable:
 * convert_hostname feature
 * IPv4(/)  IPv6  support
 * the network(address) / netmask feature
 * external helper feature
 * manual support

1) patches which content changes to configuration file
  p01-Linux-PAM-0.99.2.1-config.h.in
  p02-Linux-PAM-0.99.2.1-configure.in
  p10-Linux-PAM-0.99.2.1-modules-pam_access-Makefile.am
  p13-Linux-PAM-0.99.2.1-modules-pam_access-pam_access_config.h

2) patches which enable manual stuff for PAM itself
  p05-Linux-PAM-0.99.2.1-modules-pam_access-access.conf.5
  p09-Linux-PAM-0.99.2.1-modules-pam_access-login.access.5
  p11-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.8

3) patches with examples or other documatation stuff
  p03-Linux-PAM-0.99.2.1-doc-modules-pam_access.sgml
  p04-Linux-PAM-0.99.2.1-modules-pam_access-access.conf
  p06-Linux-PAM-0.99.2.1-modules-pam_access-ChangeLog
  p14-Linux-PAM-0.99.2.1-modules-pam_access-verify_access

4) patches for check_login_access test program
  p07-Linux-PAM-0.99.2.1-modules-pam_access-check_login_access.8
  p08-Linux-PAM-0.99.2.1-modules-pam_access-check_login_access.c

5) the patch again old version of pam_access.c (gzipped because it is
   60kB) which enable the new features and does the code rearrangement.
  p12-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.c.gz


---------- Forwarded message ----------
Date: Tue, 3 Jan 2006 23:23:49 +0100 (CET)
From: Mike Becher <Mike Becher lrz-muenchen de>
To: Pluggable Authentication Modules <pam-list redhat com>
Subject: Re: pam_login_access vs. pam_access

On Mon, 12 Dec 2005, Thorsten Kukuk wrote:

> On Sat, Dec 10, Mike Becher wrote:
> 
> > Hi,
> > 
> > I have found a module pam_access in Linux-PAM which implements the same 
> > functionallity like the `original' version of pam_login_access from other 
> > platforms like Free BSD or OpenBSD. Additionally we use a pam_login_access 
> > module for Linux on the following sites: TU Chemnitz (Technical 
> > University Chemnitz, Germany) and LRZ (Leibniz Computing Centre, Munich. 
> > Germany).
> > But there is a problem:
> > /etc/security/access.conf is used by pam_access as the default 
> > config file and /etc/login.access is used by pam_login_access. So you 
> > can't transparently substituted one module through the other.
> > Additionally the `new' pam_login_access module developed by Thomas Mueller 
> > (a college from TUC) and me provides enhancements for example like:
> >  * convert hostname to ip address support
> >  * IPv4(/) IPv6 support
> >  * network(address) / netmask support
> > which are not part of the pam_access and the `original' pam_login_access 
> > module (If you want know more about that please have a look at 
> > http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3 ).
> > 
> > Now I work on an integration of this module code into Linux-PAM and don't 
> > know what is the better solution. Is it better to provide an additional 
> > module pam_login_access with its own code tree, or to enhance existing 
> > pam_access code with the new features and build two different modules 
> > at compile time where one will then be pam_access and the second will be 
> > pam_login_access. What's the consensus?
> 
> I see two possibilities:
> 
> 1. maintain the pam_login_access code outside of Linux-PAM at your
>    own. Gives you a lot of more freedom, and there are a lot of
>    people doing this, too. Including me.
> 
> 2. Enhance the current pam_access module to support the new functionality
>    with /etc/security/access.conf. But don't make two different modules
>    at compile time from it.
> 
>   Thorsten
I'm back from holiday and have done some coding after I have read this 
mail ;-). Thanks to Thorsten for his comments.

I have decided that I want do both. So I have enhanced the existing 
pam_access module code and have done `some' code rearrangement. Now it is 
possible for me to put the pam_access code into pam_login_access source 
framework and compile it as standalone package. The new pam_login_access 
package version 1.2.0 is available on 
  http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3
But this may not really of interest for the Linux-PAM project.

Additionally I have added a new feature to the pam_access code to be able 
to call an external helper executable or script, to let it decide if access 
is granted to a service or not. This may be a nice feature for example if 
someone want manage access to cluster nodes where the node is managed by 
a batch system like SGE or OpenPBS.

Furthermore I have added manual pages for pam_access, access.conf and 
check_login_access.

The check_login_access program is mainly for administrators to be able to 
check syntax and semantic of a supplied access control table and/or the 
helper script.

And here is a patch to enable all this.

Best regards,
  Mike
-----------------------------------------------------------------------------
 Mike Becher                              Mike Becher lrz-muenchen de
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-289-28721      
 Gruppe Hochleistungssysteme              fax:   +49-89-280-9460
 Barer Strasse 21                    
 D-80333 Muenchen
 Germany                   
-----------------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]