[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_chroot and passwd



On Sun, Sep 07, 2003 at 01:16:53PM +0200, Werner Schalk wrote:
> I have installed and set up pam_chroot. It works pretty good but the downside 
> of it is that I can't get passwd for the chrooted users working (users should 
> change their own system-wide passwords). Is this possible I mean they are 
> chrooted and wich files are needed to get passwd working (I don't mean the 
> libs, I mean like pam*.so files etc.): In general has anyone got a 
> documentation on this or ever tried this before?

Unless the authoritative passwd file you're using lives inside the
chroot, you'll have a somewhat difficult time of it.  In order for a
chrooted process to update /etc/passwd, you'll either have to make
something that breaks out of the chroot, or provide some service (eg, a
web-based passwd changer) which can be used to do the job.

Or, if you're prepared to deal with having the live passwd file inside
the chroot and if you're using a pam_chroot that implements the auth
method, then this particular problem will be more easily solved.  In
that case, you'd just make pam_chroot the first auth module in the
applicable /etc/pam.d/* files.  For example, if your /etc/pam.d/sshd
looks like this:

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_chroot.so


then you would change it to this:

#%PAM-1.0
auth       required     /lib/security/pam_chroot.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth


It's kind of a high-maintenance approach, but it should work.

-- 
Ed Schmollinger - schmolli frozencrow org

Attachment: pgp00001.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]