[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Question about 'conditional pam schema'



On Mon, 19 Aug 2002 17:35:06 +0300
Tanel Kokk <tanel.kokk@eyp.ee> wrote:

> I have imap server and authentication is done by pam. Now I want 
> implement such authentication schema:
> 
> - users from ALL are authenticated by traditional pam module (like 
> pam_unix.so) OR by ourself created pam module (lets call it
> pam_myself.so)- users from special machine are authenticated only by
> module pam_myself.so and BY NO MODULE ELSE!
> 
> Is there some inteligent way to do so? Of cource, there are possible
> to modify imap server source and run two different imap server (with 
> different listening port and pam service), but I do not prefere do
> that, since there are some more inteligent way.
> 
> Btw. modifying module pam_myself.so is on our hands.
> 
> 
> Tanel
> 
> my platform
> OS: Linux
> Distr: RedHat7.3
> imap: uw-imap (imap-2000c-15)
> pam: pam-0.75-19
> 

Tanel,

I think you can work out this issue by using PAM module stacking and
the pam_access module. This module allows you to grant or deny access
to users by reading the file /etc/security/access.conf, where you can
associate usernames, ttys, hostnames ... (have a look at
/usr/share/doc/pam-0.75/txts/README.pam_access on your RH distro)

Configure this file the following way (line ordering matters) :

-:ALL:your_special_machine
+:ALL:ALL

Then stack your modules as shown :

auth        sufficient    /<yourpath>/pam_myself.so
auth        requisite     /lib/security/pam_access.so
auth 	    required      /lib/security/pam_unix.so
auth        required      /lib/security/pam_deny.so

When a user tries to log in and if the first module succeeds, the user
is allowed. If not, the next module is examined. Since it is marked as 
'requisite', its success is mandatory for the user to be allowed access.
If so (-ie- the user does not come from your special machine), the next
module is invoked and you are then back with good old pam_unix. If not,
the user sees his login refused.

I hope this is a correct answer to your problem, as far as security is
concerned.

Have a nice day.

--
David






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []