[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Scott Nelson <sbnelson@thermeon.com> writes:

> tvaughan@aventail.com wrote:
> 
> > This to me sounds like an issue PAM /should/ address. Do you really want
> > some module other than the first one to be able to set the user id?
> 
> Perhaps we could have "credentials" modules that would get invoked after
> authentication and account management have been run?

Let's say in order to be authenticated, someone has to provide three sets
of credentials: a one-time password, a Social Security Number, and a static
password. But if each of these modules is allowed to get and set the userid
and the user id is set after all authentication modules have been run, then
you could have something like:

        User ID: alice
        alice's one-time password: 0x0f0f0f0f

        User ID: alice
        alice's SSN: 555-55-5555

        User ID: bob
        bob's password: gr8passwd

        <set user id = bob>

        Welcome to service bob.

Which means in order to compromise an identity, all I have to do is
compromise the last authentication module.

Perhaps there should be a pam_userid module that is invoked first that gets 
and sets the userid that is used by all subsequent modules? But this isn't
so easy. This userid would have to be normalized in such a way that it can
accomodate X.509 distinguished names, NT domain users, unix users, etc.

Just a thought.

-Tom

-- 
Tom Vaughan <tvaughan at aventail dot com>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []