[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Question about 'conditional pam schema'



On Wed, 21 Aug 2002 11:47:21 +0300
Tanel Kokk <tanel.kokk@eyp.ee> wrote:

> dplist@free.fr wrote:
> > On Mon, 19 Aug 2002 17:35:06 +0300
> > Tanel Kokk <tanel.kokk@eyp.ee> wrote:
> > 
> > 
> >>I have imap server and authentication is done by pam. Now I want 
> >>implement such authentication schema:
> >>
> >>- users from ALL are authenticated by traditional pam module (like 
> >>pam_unix.so) OR by ourself created pam module (lets call it
> >>pam_myself.so)- users from special machine are authenticated only by
> >>module pam_myself.so and BY NO MODULE ELSE!
> >>
> 
> [skip]
> 
> > Then stack your modules as shown :
> > 
> > auth        sufficient    /<yourpath>/pam_myself.so
> > auth        requisite     /lib/security/pam_access.so
> > auth 	    required      /lib/security/pam_unix.so
> > auth        required      /lib/security/pam_deny.so
> > 
> > When a user tries to log in and if the first module succeeds, the
> > user is allowed. If not, the next module is examined. Since it is
> > marked as 'requisite', its success is mandatory for the user to be
> > allowed access. If so (-ie- the user does not come from your special
> > machine), the next module is invoked and you are then back with good
> > old pam_unix. If not, the user sees his login refused.
> > 
> > I hope this is a correct answer to your problem, as far as security
> > is concerned.
> > 
> 
> That is what I meant. Thanks a lot for answer!
> 
> But we disovered a problem on policy I described earlier. If users
> from ALL authenticate themselves by pam_unix, then authenticate
> attempt will fail against pam_myself, of course. And several failure
> auth. attempt will cause account lock in our system. Therefore we have
> to change our policy:
> 
> - authenticating from special machine is done ONLY by module
> pam_myself- authenticating from any other machines is done ONLY by
> module pam_unix
> 
> any ideas?
> 
> 
> Tanel
> 

Maybe you should modify your pam_myself module to make it check whether
the remote host is your special machine and fail if false. You could add
a parameter to your module to pass the special machine's address, that
could be helpful if you change it someday. Hoping this is true ...

Have a nice day.

--
David





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []