New and improved pam_exec module
Thorsten Kukuk
kukuk at suse.de
Mon Jul 31 09:50:04 UTC 2006
On Sun, Jul 30, Daniel Richard G. wrote:
> * Instead of directly exec'ing a named program, the module invokes a
> /bin/sh command string, for greater flexibility.
Which flexibility should this give?
> * Is the syslog interaction properly following convention? I noticed an
> inconsistency in the formatting of syslog messages between pam_exec and
> pam_unix (both invoked from sshd)...
>
> Jul 7 15:12:53 bassoon pam_exec[28567]: Command exited with status 0
> Jul 7 15:12:53 bassoon sshd[28567]: (pam_unix) session opened for
> user skunk by (uid=0)
>
> ...but am uncertain of how things ought to be done here.
The pam_exec line is from a pam_exec implementation calling openlog/closelog.
This is very bad. You loose the information, which application called
pam_exec, you destroy the syslog options of the main applications and you
will get problems with threaded applications.
The pam_unix one looks more correct. You should always use pam_syslog.
We will not accpet self written logging functions again in Linux-PAM,
we are happy that all are replaced with pam_*() functions now.
> * The module will accept the following options, but I'm not sure what
> exactly it should do (if anything) with them:
>
> expose_account
> try_first_pass
> use_first_pass
> use_mapped_pass
We don't need them at all.
> * I'm a bit unclear on how pam_fail_delay() is supposed to work. Is the
> manner in which I handled it---and described it in the documentation---at
> all incorrect?
You should not call pam_fail_delay() from a module. The application has to
set it. Else you will overwrite defaults which the sysadmin set.
> Attached is a patch against current CVS to pam_exec.c and pam_exec.8.xml.
> It is gzipped, owing to its size.
I would prefer to handle such large changes like the kernel developers
do: A lot of small patches for every new functionality, so that it
is possible to review and discuss every change and not one very big
patch.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk at suse.de
SUSE LINUX Products GmbH Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = 8C6B FD92 EE0F 42ED F91A 6A73 6D1A 7F05 2E59 24BB
More information about the Pam-list
mailing list