PAM virtual domain support (Re: Pam)

[Solar Designer]

I've changed the message Subject since it was too generic for this
mailing list.

On Sun, Jun 11, 2006 at 10:29:43PM -0300, Daniel Fernandez wrote:
> I need a pam module to auth virtual users in specific domains.
> 
> Example:
> 
> Define in one file:
> site1 = xtest.com
> 
> And when the user auth, the system find the passwd in the
> /home/virtual/site1/etc/passwd
> 
> Is a function for use in a hosting panel.

You'd need more than just a PAM module for the functionality that you
describe.  System services would need to determine and pass the target
domain name on to PAM and then provide the proper level of access in
accordance not only with the Unix account (which might be just a
"template account"), but also with the virtual domain name.  There's no
existing standard or widely accepted convention for how this should be
accomplished.  Thus, I don't think that there's a pre-existing PAM
module with this kind of functionality that is distributed on its own.

However, you might want to re-consider the need for this functionality.
If you don't want to be patching each individual service that would need
to support your virtual users, then you need to allocate a dedicated
Unix account to each user.  Once you do that, you can store those users'
names and password hashes right in the "global" files, as usual.  You
can still place their home directories under /home/virtual/site1 and so
on if you like.

There's no added security risk with the use of dedicated Unix accounts.
On the contrary, you improve the level of separation between your user
accounts.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar