pam and netgroups
Thorsten Kukuk
kukuk at suse.de
Thu Apr 17 10:06:29 UTC 2008
On Wed, Apr 16, Tomas Mraz wrote:
> On Wed, 2008-04-16 at 18:58 +0300, Lassi Pölönen wrote:
> > Hi,
> >
> > I've been trying to implement netgroup based centralized authentication
> > control with pam. The downside of using pam_access with @users@@hosts
> > syntax is that when you have a group of users and group of hosts, it
> > seems all the users are allowed to log in to those hosts in defined
> > group. Therefor that requires configuration on every host - a host has
> > to know which group to honor. pam_acces doesn't seem to check the host
> > entry in triple neither.
>
> This could be added to pam_access - we could use the current @netgroup
> match in the user field and supply the local machine name as the host
> parameter of innetgr(). This would have to be enabled by module option
> so it doesn't break old configurations though. Or we could add another
> prefix character syntax for this kind of netgroup match.
With the change to the LOCAL keyword we will do already, I don't think
that a parameter or another prefix character are necessary.
The current pam_access behavior is wrong in regard to how netgroups are
designed. Strictly spoken, we could even classify the current behavior
as security problem.
For Linux-PAM 1.1, we should change the innetgr call and supply the
local hostname.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list