[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Question about 'conditional pam schema'



dplist@free.fr wrote:
On Mon, 19 Aug 2002 17:35:06 +0300
Tanel Kokk <tanel.kokk@eyp.ee> wrote:


I have imap server and authentication is done by pam. Now I want implement such authentication schema:

- users from ALL are authenticated by traditional pam module (like pam_unix.so) OR by ourself created pam module (lets call it
pam_myself.so)- users from special machine are authenticated only by
module pam_myself.so and BY NO MODULE ELSE!



[skip]


Then stack your modules as shown :

auth        sufficient    /<yourpath>/pam_myself.so
auth        requisite     /lib/security/pam_access.so
auth 	    required      /lib/security/pam_unix.so
auth        required      /lib/security/pam_deny.so

When a user tries to log in and if the first module succeeds, the user
is allowed. If not, the next module is examined. Since it is marked as 'requisite', its success is mandatory for the user to be allowed access.
If so (-ie- the user does not come from your special machine), the next
module is invoked and you are then back with good old pam_unix. If not,
the user sees his login refused.


I hope this is a correct answer to your problem, as far as security is
concerned.


That is what I meant. Thanks a lot for answer!


But we disovered a problem on policy I described earlier. If users from ALL authenticate themselves by pam_unix, then authenticate attempt will fail against pam_myself, of course. And several failure auth. attempt will cause account lock in our system. Therefore we have to change our policy:

- authenticating from special machine is done ONLY by module pam_myself
- authenticating from any other machines is done ONLY by module pam_unix

any ideas?


Tanel







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []