[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


Hi ~

I'm attempting to use both LDAP and AFS for authentication of my users.
It may seem a little redundant, but I want some features of LDAP that AFS
doesn't have the ability to contain, plus to lock down the machine to only
the AFS users as well as the LDAP users that i've put in the system.

The authentication system works, I just wanted to ask if anyone could
check my security to make sure there isn't an obvious hole in my PAM
config.  I've been reading lots of material on PAM and think this is the
best way to do this, but suggestions and comments are very welcome.  I'll
try to post back to the list when I have the final system in place, I'm
working on the documents of what I did right now. :-)

Here is the system-auth file, most services forward the stack here.

~ Bryan


# We Use AFS for the Auth, challenge / response system
#  or use the local unix account
auth       required	/lib/security/pam_env.so
auth       sufficient	/lib/security/pam_afs.so ignore_root setenv_password_expires
auth       sufficient	/lib/security/pam_unix_auth.so
auth       required	/lib/security/pam_deny.so

# Use LDAP account if it's there, otherwise 
# you need a local UNIX account to actually login to this system
account	   sufficient	/lib/security/pam_ldap.so
account    required	/lib/security/pam_unix_acct.so

# Now we go back to AFS to change their password.
password   sufficient	/lib/security/pam_afs.so ignore_root use_authtok
password   required	/lib/security/pam_unix_passwd.so nullok
password   required 	/lib/security/pam_deny.so

# AFS has it's own pass checks, but maybe this would be good for unix
#password   required	/lib/security/pam_cracklib.so retry=3
#password   required	/lib/security/pam_pwdb.so nullok shadow use_authtok
#password   required	/lib/security/pam_deny.so

# But finally we look to the local system for our home directories
#   * it may be possible, later to do both this and AFS home directories.
session    required	/lib/security/pam_limits.so
session	   sufficient	/lib/security/pam_ldap.so
session    required	/lib/security/pam_unix_session.so 
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []