[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: An "orthogonal" way of using libpam

Hello Joerg,

On Wed, 25 Dec 2002, Joerg Sommer wrote:

> > One extra hypothetical but handy example:
> >    - on a restricted machine run one sshd that listens on all
> >      interfaces and uses a restrictive pam setup,
> >      run another one that listens on local interface only
> >      but allows test accounts to start sessions
> >
> > You can do a similar thing by tweaking sshd_config, but as soon as you
> > have more than one service you would use in that way (xdm? samba? imap?)
> > you may find PAM to be very handy. Even with sshd only, PAM is a way more
> > powerful than sshd_config.
> Now I understand, what you want. But I think, it isn't a task of pam.
> Every application should provide a possibility to set the string passed
> to pam as service_name by pam_start().

But then you

1. still are bound to setting up /etc/pam.d/<string>
that would be feasible for this example but wouldn't help session locking
discussed before

2. still have to change all of the existing applications, essentially
giving them that extra "pam config" option (while it can be done,
easily, without sacrificing anything, at libpam level)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []