[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam and netgroups

On Wed, Apr 16, Tomas Mraz wrote:

> On Wed, 2008-04-16 at 18:58 +0300, Lassi Pölönen wrote:
> > Hi,
> > 
> > I've been trying to implement netgroup based centralized authentication 
> > control with pam. The downside of using pam_access with @users@@hosts 
> > syntax is that when you have a group of users and group of hosts, it 
> > seems all the users are allowed to log in to those hosts in defined 
> > group. Therefor that requires configuration on every host - a host has 
> > to know which group to honor. pam_acces doesn't seem to check the host 
> > entry in triple neither.
> This could be added to pam_access - we could use the current @netgroup
> match in the user field and supply the local machine name as the host
> parameter of innetgr(). This would have to be enabled by module option
> so it doesn't break old configurations though. Or we could add another
> prefix character syntax for this kind of netgroup match.

With the change to the LOCAL keyword we will do already, I don't think
that a parameter or another prefix character are necessary. 
The current pam_access behavior is wrong in regard to how netgroups are
designed. Strictly spoken, we could even classify the current behavior
as security problem.
For Linux-PAM 1.1, we should change the innetgr call and supply the
local hostname.


Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]