[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sudo/SSH

Dan Merillat wrote:
> I've been working on converting sudo and SSH to use PAM...
> sudo was straightforward (replace check_password with some pam calls and boom)

The correct PAMification of sudo isn't an obvious thing.
We need to have a module called for example pam_timestamp
performed authentication like it done in sudo: if you've been
new authentication attempts should return success for a specifyed time.
The module should be configurable to accept previuos authentication
if a specified subset of "user for which authentication is performed",
"invoked user", "process tty", "user's host",
"process pid", "process parent pid" of authentication ticket creator
match the current.

Sudo in the main distribution (I mean 1.5.3) perform such check
only for "invoked user" and "process tty" (or "invoked user" which is
configurable at compile time). This policy allows user without
sudo permission obtain them under certain conditions (i.e. there is
a small security hole in sudo).

> but the message passing for SSH has me stuck... what's a good example of
> passing messages back and forth in PAM?
> (BTW, anyone actually patched SSH and sudo already?)

I'm going to PAMify sudo about a month but I have no time for
such job.

The correct PAMification of ssh isn't obviuos thing too.
The problem was discussed on this list about a week or two ago.

					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []