pam_access patch part 3 of 5
Mike Becher
Mike.Becher at lrz-muenchen.de
Thu Jan 5 12:49:05 UTC 2006
pam_access patch part 3 of 5
patches with examples or other documatation stuff
p03-Linux-PAM-0.99.2.1-doc-modules-pam_access.sgml
p04-Linux-PAM-0.99.2.1-modules-pam_access-access.conf
p06-Linux-PAM-0.99.2.1-modules-pam_access-ChangeLog
p14-Linux-PAM-0.99.2.1-modules-pam_access-verify_access
short description:
-----------------
These patches enable:
* convert_hostname feature
* IPv4(/) IPv6 support
* the network(address) / netmask feature
* external helper feature
* manual support
best regards,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/doc/modules/pam_access.sgml Linux-PAM-0.99.2.1/doc/modules/pam_access.sgml
--- Linux-PAM-0.99.2.1.orig/doc/modules/pam_access.sgml 2005-05-27 12:33:15.000000000 +0200
+++ Linux-PAM-0.99.2.1/doc/modules/pam_access.sgml 2006-01-02 20:45:02.000000000 +0100
@@ -1,6 +1,7 @@
<!--
pam_access module docs added by Tim Berger <timb at transmeta.com>
+ enhancements are documented by Mike Becher <mike.becher at lrz-muenchen.de>
-->
@@ -18,13 +19,16 @@
<tag><bf>Author[s]:</bf></tag>
-Alexei Nogin <alexei at nogin.dnttm.ru>
+Alexei Nogin <alexei at nogin.dnttm.ru>,
+
+Thomas Mueller <thomas.mueller at hrz.tu-chemnitz.de>,
+
+Mike Becher <mike.becher at lrz-muenchen.de>
<tag><bf>Maintainer:</bf></tag>
<tag><bf>Management groups provided:</bf></tag>
-
-account
+account; authentication; session
<tag><bf>Cryptographically sensitive:</bf></tag>
@@ -42,6 +46,8 @@
the stdin file descriptor with <tt/ttyname()/. Standard
gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
calls. <bf/NIS/ is used for netgroup support.
+<bf/Network-netmask translation/ will be done by use of
+<tt/inet_ntop()/ and <tt/inet_pton()/.
</descrip>
@@ -57,10 +63,30 @@
<tag><bf>Recognized arguments:</bf></tag>
-<tt>accessfile=<it>/path/to/file.conf</it></tt>;
+<tt>accessfile=<it>/path/to/file.conf</it></tt>
+
+<tt>ask_helper_only</tt>
+
+<tt>convert_hostname</tt>
+
+<tt>debug</tt>
+
+<tt>file=<it>/path/to/file.conf</it></tt>
+
<tt>fieldsep=<it>separators</it></tt>
+
+<tt>helperfile=<it>/path/to/helper/executable</it></tt>
+
<tt>listsep=<it>separators</it></tt>
+<tt>onerr=<it>[</it>fail<it>|</it>success<it>]</it></tt>
+
+<bf>Deprecated arguments</bf>
+
+<tt>file <it>/path/to/file.conf</it></tt>
+
+<tt>onerr <it>[</it>fail<it>|</it>success<it>]</it></tt>
+
<tag><bf>Description:</bf></tag>
This module provides logdaemon style login access control based on
@@ -68,28 +94,56 @@
network numbers), or on terminal line names in case of non-networked
logins. Diagnostics are reported through <tt/syslog(3)/. Wietse
Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
-several changes by A. Nogin.
+several changes by A. Nogin and the other authors.
<p>
The behavior of this module can be modified with the following
arguments:
<itemize>
-<item><tt>accessfile=/path/to/file.conf</tt> -
+<item><tt>accessfile=<it>/path/to/file.conf</it></tt> -
indicate an alternative <em/access/ configuration file to override
the default. This can be useful when different services need different
access lists.
+<item><tt>ask_helper_only</tt> - ask external helper program only if a
+user should get access to this service or not. Access control table
+will not be evaluated. Option <tt>helperfile</tt> must be specified
+also to activate this option.
+
+<item><tt>convert_hostname</tt> - if a hostname was specified in
+config file then try to convert it to IP address.
+
+<item><tt>debug</tt> - turn on debugging output.
+
<item><tt>fieldsep=<it>separators</it></tt> -
this option modifies the field separator character that
<tt/pam_access/ will recognize when parsing the access configuration
file. For example: <tt>fieldsep=|</tt> will cause the default `:'
character to be treated as part of a field value and `|' becomes the
-field separator. Doing this is useful in conjuction with a system that
+field separator. Doing this may be useful in conjuction with a system that
wants to use pam_access with X based applications, since the
<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which
includes a `:' character in its value.
+<item><tt>file=<it>/path/to/file.conf</it></tt> - same meaning like
+<tt>accessfile=<it>/path/to/file.conf</it></tt>
+
+<item><tt>file <it>/path/to/file.conf</it></tt> - same meaning like
+<tt>file=/path/to/file.conf</tt> (for compatibility if someone has used
+pam_login_access) but use is deprecated.
+
+<item><tt>helperfile=<it>/path/to/helper/executable</it></tt> - if an external
+helper program was specified it will be asked whether a user
+should get access to this service or not. If option
+<tt>ask_helper_only</tt> was not specified this will be done after
+processing of access control table but only if user doesn't get access
+granted yet through evaluation process of access control table. Please
+have a look at sample <tt>verify_access</tt> helper script which may
+be include in this distribution. Please have a look at
+<tt>verify_access</tt> helper script description in section
+<bf>Examples/suggested usage</bf> below.
+
<item><tt>listsep=<it>separators</it></tt> -
this option modifies the list separator character that
<tt/pam_access/ will recognize when parsing the access configuration
@@ -99,13 +153,23 @@
group information obtained from a Windows domain, where the default built-in
groups "Domain Users", "Domain Admins" contain a space.
+<item><tt>onerr=fail</tt> (or <tt>onerr fail</tt>) -
+if an internal error occured let module return with failed. This means for
+example access forbidden.
+
+<item><tt>onerr=success</tt> (or <tt>onerr success</tt>) -
+if an internal error occured let module return with success. This means for
+example access granted which is the default behavior.
+
</itemize>
<tag><bf>Examples/suggested usage:</bf></tag>
Use of module is recommended, for example, on administrative machines
such as <bf/NIS/ servers and mail servers where you need several accounts
-active but don't want them all to have login capability.
+active but don't want them all to have login capability. Another
+example may be cluster computers where you need temporarly control
+over login capability.
For <tt>/etc/pam.d</tt> style configurations where your modules live
in <tt>/lib/security</tt>, start by adding the following line to
@@ -124,4 +188,18 @@
A sample <tt>access.conf</tt> configuration file is included with the
distribution.
+A sample <tt>verify_access</tt> helper script is included with the
+distribution. This helper script will be called by <tt>pam_access</tt>
+module with the following command line
+<tscreen>
+<verb>
+/path/to/verify_access user from
+</verb>
+</tscreen>
+where <tt>from</tt> may be a tty, X display, service, remote hostname,
+or remote address. The helper executable should return with <tt>0</tt>
+(zero) if access to this service is granted and with <tt>1</tt> (one)
+if access is denied. All other exit codes result in an internal error,
+access will be denied, and a log message will be produced.
+
</descrip>
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf Linux-PAM-0.99.2.1/modules/pam_access/access.conf
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf 2005-09-26 14:43:17.000000000 +0200
+++ Linux-PAM-0.99.2.1/modules/pam_access/access.conf 2006-01-02 17:24:32.000000000 +0100
@@ -1,5 +1,8 @@
# Login access control table.
#
+# Comment line must start with "#", no space at front.
+# Order of lines is important.
+#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
@@ -63,3 +66,52 @@
#
# All other accounts are allowed to login from anywhere.
#
+##############################################################################
+# All lines from here up to the end are building a more complex example.
+##############################################################################
+#
+# User "root" should be allowed to get access via su cron .. tty5 tty6.
+#+ : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6
+#
+# User "root" should be allowed to get access from hosts with ip addresses.
+#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+#+ : root : 127.0.0.1
+#
+# User "root" should get access from network 192.168.201.
+# This term will be evaluated by string matching.
+# comment: It might be better to use network/netmask instead.
+# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+#+ : root : 192.168.201.
+#
+# User "root" should be able to have access from domain.
+# Uses string matching also.
+#+ : root : .foo.bar.org
+#
+# User "root" should be denied to get access from all other sources.
+#- : root : ALL
+#
+# User "foo" and members of NIS group "nis_group" should be
+# allowed to get access from all sources.
+# This will only work if NIS service is available.
+#+ : @nis_group foo : ALL
+#
+# Users "xfs" and "foo" should be allowed to get acccess via su.
+#+ : xfs foo : su
+#
+# User "john" should get access from ipv4 net/mask
+#+ : john : 127.0.0.0/24
+#
+# User "john" should get access from ipv4 as ipv6 net/mask
+#+ : john : ::ffff:127.0.0.0/127
+#
+# User "john" should get access from ipv6 host address
+#+ : john : 2001:4ca0:0:101::1
+#
+# User "john" should get access from ipv6 host address (same as above)
+#+ : john : 2001:4ca0:0:101:0:0:0:1
+#
+# User "john" should get access from ipv6 net/mask
+#+ : john : 2001:4ca0:0:101::/64
+#
+# All other users should be denied to get access from all sources.
+#- : ALL : ALL
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/ChangeLog Linux-PAM-0.99.2.1/modules/pam_access/ChangeLog
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/ChangeLog 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/ChangeLog 2006-01-03 19:36:39.000000000 +0100
@@ -0,0 +1,95 @@
+* Tue Jan 3 2006 - mibe
+ - Switch COMPILE_AS_LOGIN_ACCESS introduced to be able to build
+ pam_access as pam_login_access stand alone module.
+* Mon Jan 2 2006 - mibe
+ - Function convert_hostname_r() introduced to make this reentrant.
+ But this may only work in case of use of inet_ntop().
+* Sat Dec 31 2005 - mibe
+ - Now check_login_access.c includes pam_access.c to make all
+ internal stuff static (means unseen).
+ Compile switch -DPAM_ACCESS_COMPILE_PROGRAM hides module code
+ in case of compiling of application.
+ - External helper program support introduced which can be used to
+ get exclusive or additionally information to config rules to deny or
+ allow access to this service.
+ - To distinguish between exclusive or additionally usage option
+ `ask_helper_only' introduced.
+ - To activate use of external helper program option
+ `helperfile=/path/to/helper/file/executable' introduced.
+ - In check_login_access option -o <pam_options> introduced. Most
+ other options removed.
+* Thu Dec 15 2005 - mibe
+ - Code from Andrey V. Savochkin which does more correct check of
+ IPv4 address in function from_match substituted to support IPv6
+ addresses also.
+* Wed Dec 12 2005 - mibe
+ - merge of pam_login_access code into pam_access code
+* Wed Dec 8 2005 - mibe
+ - options accessfile=... and others taken from pam_access for
+ compatibility
+ - syslog changed to pam_syslog
+* Mon Dec 6 2005 - mibe
+ - started to include this module into Linux-PAM
+* Tue Jul 28 2005 - mibe
+ - Makefile.am - pam_libs added
+ - etc_login.access added
+ - pam_login_access.spec added
+* Tue Jul 26 2005 - mibe
+ - login_access.5 example added
+ - pam_login_access.8 options added.
+* Mon Jul 25 2005 - mibe
+ - ChangeLog added.
+ - AUTHORS added.
+ - Empty NEWS and README added to make automake without option
+ foreign happy.
+ - Moved COPYING.LIB-2.0 to COPYING.
+* Thu Jul 22 2005 - mibe
+ - Function pam_login_access_pam_options() added for scanning command
+ line options which gets the module when it will be called by an
+ application.
+ - Options variables added that will be used by
+ pam_login_access_pam_options()
+ - pam_login_access_opt_msg_to_stdout - will only be used and
+ switched on by check_login_access program to redirect output
+ from syslog to stdout/stderr.
+ - pam_login_access_opt_msg_debug - used by pam module and
+ check_login_access program to enable debugging output.
+ - pam_login_access_opt_onerr - used by pam module and
+ check_login_access program to exit with success or error.
+ - pam_login_access_opt_filename - used by pam module and
+ check_login_access program to use an alternative login.access
+ file
+ - pam_login_access_opt_convert_hostname - used by pam module and
+ check_login_access program to convert a hostname into ip
+ address.
+ - PAM option "debug" introduced which enables debugging output.
+ Default (without option) is now disabled.
+* Thu Jul 19 2005 - mibe
+ - Function network_netmask_match()
+ - Function number_to_netmask()
+ - Function are_addresses_equal()
+ - Function isipaddr() now uses inet_pton() to check if string is a
+ valid IPv4 or IPv6 address.
+* Mon Jul 18 2005 - mibe
+ - Program check_login_access introduced which based on test
+ functionality which was further in login_access.c. Now you can
+ check your login.access syntax and semantics.
+ - Static variable pam_login_access_opt_msg_to_stdout introduced
+ that will only be used and switched on by check_login_access
+ program to redirect output from syslog to stdout/stderr.
+ - Check for yp_get_default_domain() added to configure.in.
+* Fri Jul 15 2005 - mibe
+ - Makefile.am added. Now you can type "make", "make install",
+ "make [DESTDIR=<dir>] install", "make clean", "make distclean",
+ "make dist", etc..
+ - etc_pam.d_sshd.example added.
+ - login.access.example added.
+* Thu Jul 14 2005 - mibe
+ - Code reconstruction for use with autotools.
+ - C-style transformation from K&R to ANSI C.
+* Tue Aug 1 2000 - thm
+ - Function conv_hostname added to convert hostname to ip address if
+ required.
+* Tue May 25 1999 - thm
+ - pam_login_access_{acct,auth,password,sess}.c added to split work
+ by PAM module into meaningful section.
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/verify_access Linux-PAM-0.99.2.1/modules/pam_access/verify_access
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/verify_access 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/verify_access 2006-01-02 17:24:32.000000000 +0100
@@ -0,0 +1,40 @@
+#! /bin/bash
+#
+# This is an example helper script that may be called by
+# pam_access module.
+# Program will be called like:
+# program <user> <rhost/service>
+#
+# Meaning of exit code:
+# * Access is granted if program exits with 1.
+# * Access is denied if program exits with 0.
+# * All other exit values are leading to an error and
+# access is also denied.
+
+user="$1"
+rhost="$2"
+
+if [ "_$user" = "_" ]
+then
+ # access denied
+ exit 1
+fi
+
+if [ "_$rhost" = "_" ]
+then
+ # access denied
+ exit 1
+fi
+
+#
+# Do what you need to find out if user should get access or not.
+#
+
+#if [ "$user" = "john" -a "$rhost" = "localhost" ]
+#then
+# # access granted
+# exit 0
+#fi
+
+# access denied
+exit 1
More information about the Pam-list
mailing list