[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/pam.d/files



On Fri, Aug 18, 2000 at 12:53:16PM -0400, Nalin Dahyabhai wrote:
> On Fri, Aug 18, 2000 at 11:39:20AM -0400, Nicolas Williams wrote:
> > I'd really like to have pam_stack, and pam_oneof, and, and, well, all
> > this is really an expansion of the PAM config system.
> > 
> > In the absence of a more flexible config language pam_stack will do.
> 
> PAM actually has a very flexible configuration language.  The extended
> syntax (see section 4.1 of the System Administrators' Guide for the full
> details) lets you customize the logic in a particular configuration file
> to cover every case I could think of.

Well, PAM's config is flexible, it could be more so, methinks. I'll have
to rach back into my memory to find an example I thought of months
ago...

But if it were much more felxible PAM's config system could no longer be
line oriented.

> The different options that each module takes, combined with the
> flexibility of the enhanced syntax, just makes it hard to parse and edit
> PAM configurations dependably in software.

True. At least the configs are line oriented.

Imagine if you could have something more like this:

telnet auth { ((pam_ldap || pam_krb5 try_first_pass) && pam_unix) || fail }

Actually, a boolean spec might be easier to parse and edit in software
than the current line oriented system. It might be harder for humans to
parse though...

> Nalin


Nico
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []