[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

VERY strange PAM behavior with KPPP (fwd)



I posted a message asking for help in getting kppp to run as a regular user.
The posting below gives part of the secret and what the poster idenified as
a problem with using this method in zoot. The core of the answer is that
kppp uses PAM for autherization upon starting and one must change the line
in the /etc/pam.d/kppp file from:
auth       required    /lib/security/pam_pwdb.so
to:
auth       required     /lib/security/pam_console.so

This works in as far as allowing the regular user to launch kppp but on my
6.1 system I get the same problem he is identifying in 6.2 of the kppp
program that is really started by root not being able to connect to the
server. I get the same error he reports. Which seems logical to me. If one
executes an xhost this problem goes away.

Ok that is an answer to one problem but it raises others.
1. Is the author below correct that the line:
session    optional     /lib/security/pam_xauth.so
should make the xhost unecessary.

2. This is really a screwy way to do the authorization on kppp since it
results in every user ising the one kppp configuration file belonging to
root. root better not have saved the passwd to access a proprietary machine
becuse everyone can now log into that site just as root can. Needless to say
users can log into each others isp accounts. This is only ok when you have a
machine used by only one user. 

Would anyone out there explain this configuration to me and why it was done
this way?
Forwarded message:
> 
> I just upgraded my system from Red Hat 6.1 to 6.2, and things keep
> getting stranger.
> 
> For those unfamiliar with Red Hat's security setup for KPPP,
> /usr/bin/kppp is actually a link to /usr/bin/consolehelper.  This allows
> PAM to control who gets to run the actual KPPP executable, which is in
> /usr/sbin/kppp.
> 
> I have my system configured to allow all console users (me) to run KPPP.
> Here is /etc/pam.d/kppp:
> 
>     #%PAM-1.0
>     auth       sufficient   /lib/security/pam_rootok.so
>     auth       required     /lib/security/pam_console.so
>     session    optional     /lib/security/pam_xauth.so
>     account    required     /lib/security/pam_permit.so
> 
> and here is /etc/security/console.apps/kppp:
> 
>     USER=root
>     PROGRAM=/usr/sbin/kppp
>     SESSION=true
> 
> This worked as intended under Red Hat 6.1.  The behavior under Red Hat
> 6.2, however, is absolutely bizarre.
> 
> When I first log in as a non-root user, KPPP will not work; I get the
> following error:
> 
>     Xlib: connection to ":0.0" refused by server
>     Xlib: Client is not authorized to connect to Server
>     kppp: cannot connect to X server :0
> 
> (Note that the pam_xauth line in /etc/pam.d/kppp is supposed to prevent
> this.)
> 
> Here's where it gets really weird.  If I open a shell, su to root, and
> "touch /etc/pam.d/kppp", KPPP starts working for non-root users!  The
> best I can figure is that /etc/pam.d/kppp is only getting parsed if its
> timestamp is later that the time at which the user logged on, but I have
> no earthly idea why that should be the case.
> 
> As the say in the movies, "What the #@%& is going on around here?"
> 
> BTW, I'm not sure if my subscribe request for this list worked, so
> please cc me on any replies.  Thanks!
> 
> -- 
> ========================================================================
> Ian Pilcher                                       pilcher@concentric.net
> ========================================================================
> 
> -- 
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 

-------------------------------------------
Aaron Konstam         
Computer Science
Trinity University
715 Stadium Dr.
San Antonio, TX 78212-7200

telephone: (210)-999-7484
email:akonstam@trinity.edu



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []