PAM Design Question
R Coley
r.coley at mac.com
Tue Apr 21 21:27:39 UTC 2009
I have a couple of design questions..
Firstly, is there any guarantees (ie. Is it a documented standard)
regarding the order that the pam framework calls the pam module
functions? Can you safely assume across all platforms that it is in
the order specified in the config file?
My second question regards perhaps extending login functionality, to
perform account lockout upon failed authentication.. My initial
reaction is that this should be possible through PAM, however to do
this effectively you would need to know the return code from the
entire module stack which is only visible to the calling application.
eg.
Suppose there are 3 authentication modules: mod_a, mod_b, mod_c
login calls pam_authenticate() .
pam_authenticate() - > PAM_STACK -> mod_a: pam_sm_authenticate()
-> mod_b:
pam_sm_authenticate()
-> mod_c: pam_sm_authenticate()
return FAILURE
pam_authenticate() <- FAILURE
The failure code is passed back to login by the PAM_STACK
framework, no other module is aware of this unless I've missed
something fundamental!
Perhaps this is outside the design goals for PAM, however it strikes
me that it would be quite neat to permit a pam module to register a
callback against any of the function types (pam_sm_authenticate etc),
and then for the PAM_STACK framework to call these functions with the
overall return code.
This would then enable the following flow:-
login calls pam_authenticate() .
pam_authenticate() - > PAM_STACK -> mod_a: pam_sm_authenticate()
-> pam_set_callback(mod_a_authenticate_exit);
-> mod_b:
pam_sm_authenticate()
-> pam_set_callback
(mod_b_authenticate_exit);
-> mod_c: pam_sm_authenticate() return FAILURE
-> mod_a_authenticate_exit(FAILURE)
-> mod_b_authenticate_exit(FAILURE)
pam_authenticate() <- FAILURE
thoughts?
Rich
More information about the Pam-list
mailing list