[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_access patch part 3 of 5



pam_access patch part 3 of 5

patches with examples or other documatation stuff
  p03-Linux-PAM-0.99.2.1-doc-modules-pam_access.sgml
  p04-Linux-PAM-0.99.2.1-modules-pam_access-access.conf
  p06-Linux-PAM-0.99.2.1-modules-pam_access-ChangeLog
  p14-Linux-PAM-0.99.2.1-modules-pam_access-verify_access
                                                                                                                                                          
short description:
-----------------
                                                                                                                                                          
These patches enable:
 * convert_hostname feature
 * IPv4(/)  IPv6  support
 * the network(address) / netmask feature
 * external helper feature
 * manual support
                                                                                                                                                          
best regards,
  mike


-----------------------------------------------------------------------------
 Mike Becher                              Mike Becher lrz-muenchen de
 Leibniz-Rechenzentrum der                http://www.lrz.de
 Bayerischen Akademie der Wissenschaften  phone: +49-89-289-28721      
 Gruppe Hochleistungssysteme              fax:   +49-89-280-9460
 Barer Strasse 21                    
 D-80333 Muenchen
 Germany                   
-----------------------------------------------------------------------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/doc/modules/pam_access.sgml Linux-PAM-0.99.2.1/doc/modules/pam_access.sgml
--- Linux-PAM-0.99.2.1.orig/doc/modules/pam_access.sgml	2005-05-27 12:33:15.000000000 +0200
+++ Linux-PAM-0.99.2.1/doc/modules/pam_access.sgml	2006-01-02 20:45:02.000000000 +0100
@@ -1,6 +1,7 @@
 <!--
    
    pam_access module docs added by Tim Berger <timb transmeta com>
+   enhancements are documented by Mike Becher <mike becher lrz-muenchen de>
 
 -->
 
@@ -18,13 +19,16 @@
 
 <tag><bf>Author[s]:</bf></tag>
 
-Alexei Nogin &lt;alexei nogin dnttm ru&gt;
+Alexei Nogin &lt;alexei nogin dnttm ru&gt;, 
+
+Thomas Mueller &lt;thomas mueller hrz tu-chemnitz de&gt;, 
+
+Mike Becher &lt;mike becher lrz-muenchen de&gt;
 
 <tag><bf>Maintainer:</bf></tag>
 	
 <tag><bf>Management groups provided:</bf></tag>
-
-account
+account; authentication; session
 
 <tag><bf>Cryptographically sensitive:</bf></tag>
 
@@ -42,6 +46,8 @@
 the stdin file descriptor with <tt/ttyname()/.  Standard
 gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
 calls.  <bf/NIS/ is used for netgroup support.
+<bf/Network-netmask translation/ will be done by use of
+<tt/inet_ntop()/ and <tt/inet_pton()/.
 
 </descrip>
 
@@ -57,10 +63,30 @@
 
 <tag><bf>Recognized arguments:</bf></tag>
 
-<tt>accessfile=<it>/path/to/file.conf</it></tt>;
+<tt>accessfile=<it>/path/to/file.conf</it></tt>
+
+<tt>ask_helper_only</tt>
+
+<tt>convert_hostname</tt>
+
+<tt>debug</tt>
+
+<tt>file=<it>/path/to/file.conf</it></tt>
+
 <tt>fieldsep=<it>separators</it></tt>
+
+<tt>helperfile=<it>/path/to/helper/executable</it></tt>
+
 <tt>listsep=<it>separators</it></tt>
 
+<tt>onerr=<it>[</it>fail<it>|</it>success<it>]</it></tt>
+
+<bf>Deprecated arguments</bf>
+
+<tt>file <it>/path/to/file.conf</it></tt>
+
+<tt>onerr <it>[</it>fail<it>|</it>success<it>]</it></tt>
+
 <tag><bf>Description:</bf></tag>
 
 This module provides logdaemon style login access control based on
@@ -68,28 +94,56 @@
 network numbers), or on terminal line names in case of non-networked
 logins. Diagnostics are reported through <tt/syslog(3)/.  Wietse
 Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
-several changes by A. Nogin.
+several changes by A. Nogin and the other authors.
 
 <p> 
 The behavior of this module can be modified with the following 
 arguments: 
 <itemize> 
  
-<item><tt>accessfile=/path/to/file.conf</tt> - 
+<item><tt>accessfile=<it>/path/to/file.conf</it></tt> - 
 indicate an alternative <em/access/ configuration file to override 
 the default. This can be useful when different services need different 
 access lists. 
 
+<item><tt>ask_helper_only</tt> - ask  external helper program only if a
+user should get access to this service or not. Access control table
+will not be evaluated. Option <tt>helperfile</tt> must be specified 
+also to activate this option.
+
+<item><tt>convert_hostname</tt> - if a hostname was specified in
+config file then try to convert it to IP address.
+
+<item><tt>debug</tt> - turn on debugging output.
+
 <item><tt>fieldsep=<it>separators</it></tt> -
 this option modifies the field separator character that
 <tt/pam_access/ will recognize when parsing the access configuration
 file. For example: <tt>fieldsep=|</tt> will cause the default `:'
 character to be treated as part of a field value and `|' becomes the
-field separator. Doing this is useful in conjuction with a system that
+field separator. Doing this may be useful in conjuction with a system that
 wants to use pam_access with X based applications, since the
 <tt/PAM_TTY/ item is likely to be of the form "hostname:0" which
 includes a `:' character in its value.
 
+<item><tt>file=<it>/path/to/file.conf</it></tt> - same meaning like
+<tt>accessfile=<it>/path/to/file.conf</it></tt>
+
+<item><tt>file <it>/path/to/file.conf</it></tt> - same meaning like
+<tt>file=/path/to/file.conf</tt> (for compatibility if someone has used
+pam_login_access) but use is deprecated.
+
+<item><tt>helperfile=<it>/path/to/helper/executable</it></tt> - if an external
+helper program was specified it will be  asked whether  a  user
+should get  access  to  this  service  or  not.  If  option
+<tt>ask_helper_only</tt> was not specified this will be done after
+processing of access control table but only if user doesn't get access
+granted yet through evaluation process of access control table. Please
+have a look at sample <tt>verify_access</tt> helper script which may
+be include in this distribution. Please have a look at
+<tt>verify_access</tt> helper script description in section
+<bf>Examples/suggested usage</bf> below.
+
 <item><tt>listsep=<it>separators</it></tt> -
 this option modifies the list separator character that
 <tt/pam_access/ will recognize when parsing the access configuration
@@ -99,13 +153,23 @@
 group information obtained from a Windows domain, where the default built-in
 groups "Domain Users", "Domain Admins" contain a space.
 
+<item><tt>onerr=fail</tt> (or <tt>onerr fail</tt>) -
+if an internal error occured let module return with failed. This means for 
+example access forbidden.
+
+<item><tt>onerr=success</tt> (or <tt>onerr success</tt>) -
+if an internal error occured let module return with success. This means for 
+example access granted which is the default behavior.
+
 </itemize> 
 
 <tag><bf>Examples/suggested usage:</bf></tag>
 
 Use of module is recommended, for example, on administrative machines
 such as <bf/NIS/ servers and mail servers where you need several accounts
-active but don't want them all to have login capability.
+active but don't want them all to have login capability. Another
+example may be cluster computers where you need temporarly control
+over login capability.
 
 For <tt>/etc/pam.d</tt> style configurations where your modules live
 in <tt>/lib/security</tt>, start by adding the following line to
@@ -124,4 +188,18 @@
 A sample <tt>access.conf</tt> configuration file is included with the
 distribution.
 
+A sample <tt>verify_access</tt> helper script is included with the
+distribution. This helper script will be called by <tt>pam_access</tt>
+module with the following command line
+<tscreen>
+<verb>
+/path/to/verify_access user from
+</verb>
+</tscreen>
+where <tt>from</tt> may be a tty, X display, service, remote hostname,
+or remote address. The helper executable should return with <tt>0</tt>
+(zero) if access to this service is granted and with <tt>1</tt> (one)
+if access is denied. All other exit codes result in an internal error,
+access will be denied, and a log message will be produced.
+
 </descrip>
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf Linux-PAM-0.99.2.1/modules/pam_access/access.conf
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf	2005-09-26 14:43:17.000000000 +0200
+++ Linux-PAM-0.99.2.1/modules/pam_access/access.conf	2006-01-02 17:24:32.000000000 +0100
@@ -1,5 +1,8 @@
 # Login access control table.
 # 
+# Comment line must start with "#", no space at front.
+# Order of lines is important.
+#
 # When someone logs in, the table is scanned for the first entry that
 # matches the (user, host) combination, or, in case of non-networked
 # logins, the first entry that matches the (user, tty) combination.  The
@@ -63,3 +66,52 @@
 #
 # All other accounts are allowed to login from anywhere.
 #
+##############################################################################
+# All lines from here up to the end are building a more complex example.
+##############################################################################
+#
+# User "root" should be allowed to get access via su cron .. tty5 tty6.
+#+ : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6
+#
+# User "root" should be allowed to get access from hosts with ip addresses.
+#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+#+ : root : 127.0.0.1
+#
+# User "root" should get access from network 192.168.201.
+# This term will be evaluated by string matching.
+# comment: It might be better to use network/netmask instead.
+#          The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+#+ : root : 192.168.201.
+#
+# User "root" should be able to have access from domain.
+# Uses string matching also.
+#+ : root : .foo.bar.org
+#
+# User "root" should be denied to get access from all other sources. 
+#- : root : ALL
+#
+# User "foo" and members of NIS group "nis_group" should be
+# allowed to get access from all sources.
+# This will only work if NIS service is available.
+#+ : @nis_group foo : ALL
+#
+# Users "xfs" and "foo" should be allowed to get acccess via su.
+#+ : xfs foo : su
+#
+# User "john" should get access from ipv4 net/mask
+#+ : john : 127.0.0.0/24
+#
+# User "john" should get access from ipv4 as ipv6 net/mask
+#+ : john : ::ffff:127.0.0.0/127
+#
+# User "john" should get access from ipv6 host address
+#+ : john : 2001:4ca0:0:101::1
+#
+# User "john" should get access from ipv6 host address (same as above)
+#+ : john : 2001:4ca0:0:101:0:0:0:1
+#
+# User "john" should get access from ipv6 net/mask
+#+ : john : 2001:4ca0:0:101::/64
+#
+# All other users should be denied to get access from all sources.
+#- : ALL : ALL 
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/ChangeLog Linux-PAM-0.99.2.1/modules/pam_access/ChangeLog
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/ChangeLog	1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/ChangeLog	2006-01-03 19:36:39.000000000 +0100
@@ -0,0 +1,95 @@
+* Tue Jan 3 2006 - mibe
+  - Switch COMPILE_AS_LOGIN_ACCESS introduced to be able to build
+    pam_access as pam_login_access stand alone module.
+* Mon Jan 2 2006 - mibe
+  - Function convert_hostname_r() introduced to make this reentrant.
+    But this may only work in case of use of inet_ntop().
+* Sat Dec 31 2005 - mibe
+  - Now check_login_access.c includes pam_access.c to make all
+    internal stuff static (means unseen).
+    Compile switch -DPAM_ACCESS_COMPILE_PROGRAM hides module code
+    in case of compiling of application.
+  - External helper program support introduced which can be used to
+    get exclusive or additionally information to config rules to deny or
+    allow access to this service.
+    - To distinguish between exclusive or additionally usage option
+      `ask_helper_only' introduced.
+    - To activate use of external helper program option
+      `helperfile=/path/to/helper/file/executable' introduced.
+  - In check_login_access option -o <pam_options> introduced. Most
+    other options removed.
+* Thu Dec 15 2005 - mibe
+  - Code from Andrey V. Savochkin which does more correct check of
+    IPv4 address in function from_match substituted to support IPv6
+    addresses also.
+* Wed Dec 12 2005 - mibe
+  - merge of pam_login_access code into pam_access code
+* Wed Dec 8 2005 - mibe
+  - options accessfile=... and others taken from pam_access for
+    compatibility
+  - syslog changed to pam_syslog
+* Mon Dec 6 2005 - mibe
+  - started to include this module into Linux-PAM
+* Tue Jul 28 2005 - mibe
+  - Makefile.am - pam_libs added
+  - etc_login.access added
+  - pam_login_access.spec added
+* Tue Jul 26 2005 - mibe
+  - login_access.5 example added
+  - pam_login_access.8 options added.
+* Mon Jul 25 2005 - mibe
+  - ChangeLog added.
+  - AUTHORS added.
+  - Empty NEWS and README added to make automake without option
+    foreign happy.
+  - Moved COPYING.LIB-2.0 to COPYING.
+* Thu Jul 22 2005 - mibe
+  - Function pam_login_access_pam_options() added for scanning command
+    line options which gets the module when it will be called by an
+    application.
+  - Options variables added that will be used by
+    pam_login_access_pam_options()
+     - pam_login_access_opt_msg_to_stdout - will only be used and
+       switched on by check_login_access program to redirect output
+       from syslog to stdout/stderr.
+     - pam_login_access_opt_msg_debug - used by pam module and
+       check_login_access program to enable debugging output.
+     - pam_login_access_opt_onerr - used by pam module and
+       check_login_access program to exit with success or error.
+     - pam_login_access_opt_filename - used by pam module and
+       check_login_access program to use an alternative login.access
+       file
+     - pam_login_access_opt_convert_hostname - used by pam module and
+       check_login_access program to convert a hostname into ip
+       address.
+  - PAM option "debug" introduced which enables debugging output.
+    Default (without option) is now disabled.
+* Thu Jul 19 2005 - mibe
+  - Function network_netmask_match()
+  - Function number_to_netmask()
+  - Function are_addresses_equal()
+  - Function isipaddr() now uses inet_pton() to check if string is a
+    valid IPv4 or IPv6 address.
+* Mon Jul 18 2005 - mibe
+  - Program check_login_access introduced which based on test
+    functionality which was further in login_access.c. Now you can
+    check your login.access syntax and semantics.
+  - Static variable pam_login_access_opt_msg_to_stdout introduced
+    that will only be used and switched on by check_login_access 
+    program to redirect output from syslog to stdout/stderr.
+  - Check for yp_get_default_domain() added to configure.in.
+* Fri Jul 15 2005 - mibe
+  - Makefile.am added. Now you can type "make", "make install",
+    "make [DESTDIR=<dir>] install", "make clean", "make distclean",
+    "make dist", etc..
+  - etc_pam.d_sshd.example added.
+  - login.access.example added.
+* Thu Jul 14 2005 - mibe
+  - Code reconstruction for use with autotools.
+  - C-style transformation from K&R to ANSI C.
+* Tue Aug  1 2000 - thm
+  - Function conv_hostname added to convert hostname to ip address if
+    required.
+* Tue May 25 1999 - thm
+  - pam_login_access_{acct,auth,password,sess}.c added to split work
+    by PAM module into meaningful section.
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/verify_access Linux-PAM-0.99.2.1/modules/pam_access/verify_access
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/verify_access	1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/verify_access	2006-01-02 17:24:32.000000000 +0100
@@ -0,0 +1,40 @@
+#! /bin/bash
+#
+# This is an example helper script that may be called by
+# pam_access module.
+# Program will be called like:
+#   program <user> <rhost/service>
+#
+# Meaning of exit code:
+#  * Access is granted if program exits with 1.
+#  * Access is denied if program exits with 0.
+#  * All other exit values are leading to an error and 
+#    access is also denied. 
+
+user="$1"
+rhost="$2"
+
+if [ "_$user" = "_" ]
+then
+  # access denied
+  exit 1
+fi
+
+if [ "_$rhost" = "_" ]
+then
+  # access denied
+  exit 1
+fi
+
+#
+# Do what you need to find out if user should get access or not.
+#
+
+#if [ "$user" = "john" -a "$rhost" = "localhost" ]
+#then
+#  # access granted
+#  exit 0
+#fi
+
+# access denied
+exit 1

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]