pam_login_access vs. pam_access

Thorsten Kukuk kukuk at suse.de
Mon Dec 12 15:21:20 UTC 2005 

On Sat, Dec 10, Mike Becher wrote:

> Hi,
> 
> I have found a module pam_access in Linux-PAM which implements the same 
> functionallity like the `original' version of pam_login_access from other 
> platforms like Free BSD or OpenBSD. Additionally we use a pam_login_access 
> module for Linux on the following sites: TU Chemnitz (Technical 
> University Chemnitz, Germany) and LRZ (Leibniz Computing Centre, Munich. 
> Germany).
> But there is a problem:
> /etc/security/access.conf is used by pam_access as the default 
> config file and /etc/login.access is used by pam_login_access. So you 
> can't transparently substituted one module through the other.
> Additionally the `new' pam_login_access module developed by Thomas Mueller 
> (a college from TUC) and me provides enhancements for example like:
>  * convert hostname to ip address support
>  * IPv4(/) IPv6 support
>  * network(address) / netmask support
> which are not part of the pam_access and the `original' pam_login_access 
> module (If you want know more about that please have a look at 
> http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3 ).
> 
> Now I work on an integration of this module code into Linux-PAM and don't 
> know what is the better solution. Is it better to provide an additional 
> module pam_login_access with its own code tree, or to enhance existing 
> pam_access code with the new features and build two different modules 
> at compile time where one will then be pam_access and the second will be 
> pam_login_access. What's the consensus?

I see two possibilities:

1. maintain the pam_login_access code outside of Linux-PAM at your
   own. Gives you a lot of more freedom, and there are a lot of
   people doing this, too. Including me.

2. Enhance the current pam_access module to support the new functionality
   with /etc/security/access.conf. But don't make two different modules
   at compile time from it.

  Thorsten

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk at suse.de
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

More information about the Pam-list mailing list