[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM setting arb parameters



Andrew Morgan wrote:

> This is "credential" information.  If I understand it correctly, you
> are trying to do the following:
> 
> 1       client dials in
> 2       login authenticates user (via PAM)
> 3       login runs pppd
> 
> You would like 2 to obtain IP address etc., info and to thus modify
> the way in which pppd is invoked.  Is this correct?

Yes, but in a way that does not require any exterior scripts or outside
helper programs, it all happens seamlessly inside PAM.

For example, it would go like this:

1	client dials in
2	pppd runs (from mgetty, without a login)
3	pppd authenticates user via PAM (already supported)

Here comes the bit:

4	the PAM module underneath PAM optionally knows about ppp's special
options. (Such a PAM module might be the pam_radius module). This module
needs to tell pppd certain things, like possibly it's IP address, etc.
5	The PAM module (such as pam_radius) passes these optional parameters
through the generic PAM interface, through to the actual application
(such as pppd). These paramters are not parsed by PAM, they are simply
passed through.
6	The application (such as pppd) acts on these additional config
parameters.

> As a simple experiment, you could use environment variables (generated
> with pam_setenv()) to propagate the relevant info, and replace 3 with
> a shell wrapper which prepares an 'exec pppd XXXX ...' line, where
> 'XXXX ...' are all of the arguments that can be obtained from the
> inherited environment varialbes.

Hmmm - ok, let's look at this.

What we could define is this:

When a PAM module is called apon to authenticate someone, it can
optionally set a number of well known environment variables (eg
PAM_IPADDRESS, PAM_GROUP, PAM_FIREWALL) with additional information.

The actual PAM library will completely ignore these environment
variables.

The application that uses PAM then looks to see if these environment
variables exist, and act on them if they do.

In this way one could have the situation where someone was authenticated
via PAM using login, and then later when they run pppd the environment
is set up for them.

The only problem is that if the user had shell access between the time
the PAM authentication occured, and the time the app was run, they could
change these parameters, which may be a problem if this info is to be
enforced (such as pppd setting firewall rules, for example).

Any thoughts?

Regards,
Graham
-- 
-----------------------------------------
graham@vwv.com			"There's a moon
VWV Interactive				over Bourbon Street
						tonight...

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []