[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sudo/SSH




On Thu, 6 Mar 1997, Savochkin Andrey Vladimirovich wrote:

> Date: Thu, 06 Mar 1997 10:27:25 +0300
> From: Savochkin Andrey Vladimirovich <saw@msu.ru>
> To: Dan Merillat <Dan@Merillat.org>
> Cc: pam-list@redhat.com
> Subject: Re: sudo/SSH
> 
> Dan Merillat wrote:
> > 
> > I've been working on converting sudo and SSH to use PAM...
> > 
> > sudo was straightforward (replace check_password with some pam calls and boom)
> 
> The correct PAMification of sudo isn't an obvious thing.
> We need to have a module called for example pam_timestamp
> performed authentication like it done in sudo: if you've been
> authenticated

Ok, to explain:  getting PW authentication via PAM into sudo is 
straightforward.  Moving the sudo timestamp code into a module is
slightly less so, but still not bad. 

> new authentication attempts should return success for a specifyed time.
> The module should be configurable to accept previuos authentication
> if a specified subset of "user for which authentication is performed",
> "invoked user", "process tty", "user's host",
> "process pid", "process parent pid" of authentication ticket creator
> match the current.

Yup.  Then there is also pam_sudoers.so to be made, so you have a list of
who is allowed to sudo.  I think required for account and sufficient for
password would be the correct config.  (off the top of my head, that is...)
I'd have to add an argument to sudoers to have it return true if they don't
need a password.

But right now sudo works on my system using shadowed MD5 passwords, so that
is a start.

> > but the message passing for SSH has me stuck... what's a good example of
> > passing messages back and forth in PAM?
> > 
> [...]
> > 
> > (BTW, anyone actually patched SSH and sudo already?)
> 
> I'm going to PAMify sudo about a month but I have no time for
> such job.
> 
> The correct PAMification of ssh isn't obviuos thing too.
> The problem was discussed on this list about a week or two ago.

Is there a list archive somewhere?  I've had a few people tell me about
that... and from looking at the code it looks tough.  I may just teach SSH
about shadowed MD5 passwords with libpwdb, and leave it at that.

--Dan





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []