[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions

Scott Nelson <sbnelson@thermeon.com> writes:

> Stephen Langasek wrote:
> > Upon reflection, I guess the idea the original poster was getting at was
> > that the PAM_USER item should be 'read-only' for the modules.  The same
> > thing applies, IMHO.  If there's a compelling reason to change the PAM_USER,
> > the module writer should have that option, in which case the module
> > documentation ought to make this clear.  If the concern is people writing
> > mischievous modules, then restricting access to PAM_USER isn't going to
> > prevent that.
> I thought the original idea he was getting at was that if you used three
> different authentication modules, each could ask the user "who are you?"  and
> the the USER could put in different answers each time.  This might be valid,
> (e.g. "scott" for /etc/shadow, "snelson" for SMB, "Scott Nelson" for xyz), or
> the user could put in conflicting information ("scott", "scott", "fred").

Yup. And the corollary, "tvaughan" in the UNIX passwd database and
"tvaughan" in the NT domain database do not necessarily map to the same

This makes authorization very difficult though. I think it is reasonable to 
require that identical user id's *must* map to the same human. I am mostly
concerned with each module's ability to alter the user id.

> I think the solution is to have only the first module ask "who are you?".  You
> then ask "prove it" the first time to ascertain the requested identity and then
> you can ask "prove it" two more times for the remaining modules.  Didn't I see
> that in the documentation?  use_first??

Yup. I like the idea of having a "Who do you claim to be?" phase, and then
the authentication modules are just "provers" after that.

This has gotten a bit off-topic. I'll quit at this point.


Tom Vaughan <tvaughan at aventail dot com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []