pam_login_access vs. pam_access (fwd)
Mike Becher
Mike.Becher at lrz-muenchen.de
Thu Jan 5 12:47:02 UTC 2006
Hi again,
because I don't know whether my patch for pam_access module (please
have a look at forwarded message but without patch) will be accepted
by list moderator or not (message was too large, larger than 40kB
because patch size is 100735 bytes) I post it again but now in 5
pieces in messages with subject: "pam_access patch part X of 5"
I hope this code finds the way into official distribution of
Linux-PAM.
Best regards,
Mike
short description:
-----------------
These patches enable:
* convert_hostname feature
* IPv4(/) IPv6 support
* the network(address) / netmask feature
* external helper feature
* manual support
1) patches which content changes to configuration file
p01-Linux-PAM-0.99.2.1-config.h.in
p02-Linux-PAM-0.99.2.1-configure.in
p10-Linux-PAM-0.99.2.1-modules-pam_access-Makefile.am
p13-Linux-PAM-0.99.2.1-modules-pam_access-pam_access_config.h
2) patches which enable manual stuff for PAM itself
p05-Linux-PAM-0.99.2.1-modules-pam_access-access.conf.5
p09-Linux-PAM-0.99.2.1-modules-pam_access-login.access.5
p11-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.8
3) patches with examples or other documatation stuff
p03-Linux-PAM-0.99.2.1-doc-modules-pam_access.sgml
p04-Linux-PAM-0.99.2.1-modules-pam_access-access.conf
p06-Linux-PAM-0.99.2.1-modules-pam_access-ChangeLog
p14-Linux-PAM-0.99.2.1-modules-pam_access-verify_access
4) patches for check_login_access test program
p07-Linux-PAM-0.99.2.1-modules-pam_access-check_login_access.8
p08-Linux-PAM-0.99.2.1-modules-pam_access-check_login_access.c
5) the patch again old version of pam_access.c (gzipped because it is
60kB) which enable the new features and does the code rearrangement.
p12-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.c.gz
---------- Forwarded message ----------
Date: Tue, 3 Jan 2006 23:23:49 +0100 (CET)
From: Mike Becher <Mike.Becher at lrz-muenchen.de>
To: Pluggable Authentication Modules <pam-list at redhat.com>
Subject: Re: pam_login_access vs. pam_access
On Mon, 12 Dec 2005, Thorsten Kukuk wrote:
> On Sat, Dec 10, Mike Becher wrote:
>
> > Hi,
> >
> > I have found a module pam_access in Linux-PAM which implements the same
> > functionallity like the `original' version of pam_login_access from other
> > platforms like Free BSD or OpenBSD. Additionally we use a pam_login_access
> > module for Linux on the following sites: TU Chemnitz (Technical
> > University Chemnitz, Germany) and LRZ (Leibniz Computing Centre, Munich.
> > Germany).
> > But there is a problem:
> > /etc/security/access.conf is used by pam_access as the default
> > config file and /etc/login.access is used by pam_login_access. So you
> > can't transparently substituted one module through the other.
> > Additionally the `new' pam_login_access module developed by Thomas Mueller
> > (a college from TUC) and me provides enhancements for example like:
> > * convert hostname to ip address support
> > * IPv4(/) IPv6 support
> > * network(address) / netmask support
> > which are not part of the pam_access and the `original' pam_login_access
> > module (If you want know more about that please have a look at
> > http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3 ).
> >
> > Now I work on an integration of this module code into Linux-PAM and don't
> > know what is the better solution. Is it better to provide an additional
> > module pam_login_access with its own code tree, or to enhance existing
> > pam_access code with the new features and build two different modules
> > at compile time where one will then be pam_access and the second will be
> > pam_login_access. What's the consensus?
>
> I see two possibilities:
>
> 1. maintain the pam_login_access code outside of Linux-PAM at your
> own. Gives you a lot of more freedom, and there are a lot of
> people doing this, too. Including me.
>
> 2. Enhance the current pam_access module to support the new functionality
> with /etc/security/access.conf. But don't make two different modules
> at compile time from it.
>
> Thorsten
I'm back from holiday and have done some coding after I have read this
mail ;-). Thanks to Thorsten for his comments.
I have decided that I want do both. So I have enhanced the existing
pam_access module code and have done `some' code rearrangement. Now it is
possible for me to put the pam_access code into pam_login_access source
framework and compile it as standalone package. The new pam_login_access
package version 1.2.0 is available on
http://www-user.tu-chemnitz.de/~mibe/sw/OpenPBS/home.php3
But this may not really of interest for the Linux-PAM project.
Additionally I have added a new feature to the pam_access code to be able
to call an external helper executable or script, to let it decide if access
is granted to a service or not. This may be a nice feature for example if
someone want manage access to cluster nodes where the node is managed by
a batch system like SGE or OpenPBS.
Furthermore I have added manual pages for pam_access, access.conf and
check_login_access.
The check_login_access program is mainly for administrators to be able to
check syntax and semantic of a supplied access control table and/or the
helper script.
And here is a patch to enable all this.
Best regards,
Mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------
More information about the Pam-list
mailing list