account section for disconnected auth
Andreas Hasenack
ahasenack at terra.com.br
Fri Nov 24 17:10:45 UTC 2006
[pam-0.99.6.0]
Hi all,
I'm trying to come up with a good account section for systems operating
under "disconnected auth", that is, network auth when there is no
network or the server went away.
I'm testing for now with nss info in ldap and kerberos auth (pam_krb5). For
the nss part I'm using nss_db + nss_updatedb. This means that using
"user_unknown=ignore" like shown below doesn't work as intended, because the
user *is* known (but not listed in /etc/passwd or shadow):
account [user_unknown=ignore default=done] pam_unix.so
account [authinfo_unavail=ignore default=done] pam_krb5.so
account required pam_permit.so
With the above setup, pam_unix fails. It seems the only way to make this work
is to either add "authinfo_unavail=ignore" or "broken_shadow" to pam_unix, like
this:
account [user_unknown=ignore default=done] pam_unix.so broken_shadow
account [authinfo_unavail=ignore default=done] pam_krb5.so
account required pam_permit.so
or
account [user_unknown=ignore authinfo_unavail=ignoredefault=done] pam_unix.so
account [authinfo_unavail=ignore default=done] pam_krb5.so
account required pam_permit.so
I also thought about making pam_unix "sufficient", but this would make it
possible for local users to bypass authorization rules, no?
Any thoughts? Thanks in advance.
More information about the Pam-list
mailing list