headers
Igmar Palsenberg | 6 Jun 2006 10:22
Picon
Favicon

Re: Problem with pam_mkhomedir and ACL


> we are trying get oam_mkhomedir working with ACL. Unfortunately
> pam_mkhomedir (version from debian sarge, 0.76) does not  set the default
> mask right.

The default mask get's set from the parent dir by the kernel.

> It ignores our default ACL settings in the parent directory.

That's unlikely.

> We intensively googled on that problem, read a lot of source code but we
> were unable to find the a solution for out problem.
> Copying /etc/skel manually to the directory works perfectly as well as
> creating a new directory with mkdir.

cp only copies ACL's, mkdir does nothing with ACL's. The most probable 
cause is that your default ACL's on the base dir are incorrect / missing. 
I've been using the above scenario without problems for years (but with 
webroot dirs).

	Igmar
Permalink | Reply | 0 comments |
headers
Jacques Lebastard | 7 Jun 2006 14:32
Favicon

PAM on AIX 5.3


I know this might not be the right place to talk about PAM on AIX but 
since I can't find any better mailing/newsgroup... If you know of a more 
appropriate place...

I wrote a PAM module in charge of authenticating users to a specific 
authentication server and retrieve a Unix login & pwd from single 
sign-on data. Upon a successful authentication, the module retrieves 
Unix login and pwd and uses pam_set_item to set PAM_USER and PAM_AUTHTOK 
to the Unix values (always different from what the user provided): any 
other PAM module configured with 'use_first_pass' should then use these 
to perform any required authentication.

This PAM module works fine on Solaris (except for ftp, because of a 
documented restriction in ftpd), HP-UX and Linux.

On AIX 5.3, the connection always fails with the following info in syslog:

auth|security:info syslog: pts/3: failed login attempt for UNKNOWN_USER 
from ...

I currently try this PAM module using telnet and the following entries 
in /etc/pam.conf (my PAM module is am_pam.so):

telnet  auth    required        /usr/lib/security/am_pam.so dump debug
telnet  auth    required        /usr/lib/security/pam_aix use_first_pass 
debug
OTHER   auth    required        /usr/lib/security/pam_prohibit debug

telnet  account required        /usr/lib/security/am_pam.so no_warn
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Fernandez | 12 Jun 2006 03:29
Picon

Pam

Hi.

I need a pam module to auth virtual users in specific domains.

Example:

Define in one file:
site1 = xtest.com

And when the user auth, the system find the passwd in the /home/virtual/site1/etc/passwd

Is a function for use in a hosting panel.

Have any idea if this module exist?

Sincerely Thanks.

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 1 comment |
headers
Solar Designer | 12 Jun 2006 17:09
Favicon

PAM virtual domain support (Re: Pam)

I've changed the message Subject since it was too generic for this
mailing list.

On Sun, Jun 11, 2006 at 10:29:43PM -0300, Daniel Fernandez wrote:
> I need a pam module to auth virtual users in specific domains.
> 
> Example:
> 
> Define in one file:
> site1 = xtest.com
> 
> And when the user auth, the system find the passwd in the
> /home/virtual/site1/etc/passwd
> 
> Is a function for use in a hosting panel.

You'd need more than just a PAM module for the functionality that you
describe.  System services would need to determine and pass the target
domain name on to PAM and then provide the proper level of access in
accordance not only with the Unix account (which might be just a
"template account"), but also with the virtual domain name.  There's no
existing standard or widely accepted convention for how this should be
accomplished.  Thus, I don't think that there's a pre-existing PAM
module with this kind of functionality that is distributed on its own.

However, you might want to re-consider the need for this functionality.
If you don't want to be patching each individual service that would need
to support your virtual users, then you need to allocate a dedicated
Unix account to each user.  Once you do that, you can store those users'
names and password hashes right in the "global" files, as usual.  You
can still place their home directories under /home/virtual/site1 and so
on if you like.

There's no added security risk with the use of dedicated Unix accounts.
On the contrary, you improve the level of separation between your user
accounts.

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar
Permalink | Reply | 0 comments |
headers
Jesse Guardiani | 15 Jun 2006 16:55
Picon

Re: mod_auth_pam extended group auth patch

Jesse Guardiani wrote:
> Hello,
> 
> Please see attached for a patch to mod_auth_pam that
> adds extended group auth support to mod_auth_pam.
> 
> In other words, this patch allows you to auth by ANY
> group a user is a member of, not just their primary
> group.
> 
> I wrote this patch because I needed extended group
> auth functionality to seemlessly integrate my
> Subversion server with my W2K PDC using winbind.
> 
> My network policy states that any user who is a
> member of the "staging" windows group should have
> login access to the Subversion server. The user's
> primary group is the "Domain Users" group by default,
> so I couldn't use the stock mod_auth_pam code as
> I needed to auth by an extended group - "staging".
> 
> I noticed that Samba didn't have any trouble auth'ing
> by extended groups, so I set out to port the Samba
> /etc/group auth code to mod_auth_pam. This patch is
> the result of that. However, note that I found a bug
> in the Samba 3.0.21c code, so it's a little different
> than that code. I plan to submit a bug fix to the
> samba project shortly if the bug still exists in their
> source (I wrote this patch over a month ago, so I'm
> not sure about the current state of things).
> 
> If you'd like to compare this patch to the samba
> code, take a look at the validate_group() function
> in source/smbd/password.c
> 
> Anyway, this code has been stable for a month on my
> production Subversion server and in daily use by 3
> programmers, so "it works for me". Unfortunately, it
> still has a bit of Samba cruft attached to it, like
> safe_string.h and safe_strcpy_fn(). I simply do not
> have the time to refactor this code and remove this
> samba baggage.
> 
> I hope this is useful for someone. Is there a chance
> it can make it into the next mod_auth_pam release?

I've received zero feedback on this, other than the message
from Andreas Schindler stating that there was a better way,
offering example code even, but then never sending said example
code when I requested it.

When I was researching the problem before I wrote this patch,
I saw a lot of SVN folks stumbling over mod_auth_pam because
they thought it already did what this patch allows it to do.

I think it's valuable. What's the verdict?

--

-- 
Jesse Guardiani
Programmer/Sys Admin
jesse <at> guardiani.us
Permalink | Reply | 1 comment |
headers
Bhaskar | 23 Jun 2006 09:29
Picon

Implementing Security Policies

Dear All,

I am trying to implement some security policies like password, login, etc.

On googling regarding the security policies, I found them implemented through SELinux and PAM modules.

Can any one provide a pointer to the exact starting point for implementing the security policies.

Regards,
Bhaskar 
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Aaron Scamehorn | 23 Jun 2006 17:35

PAM & crond

Hello,

I am having a problem w/ a new RHEL 4 box & crond.

I have a user who has created some cron jobs, but the do not run.
 
The error I see in /var/log/cron is:
 
crond[2888]: (username) ORPHAN (no passwd entry).
 
Now, I know that this error typically means that a file is installed in /var/spool/cron for a username that doesn't have an entry in /etc/passwd.
 
True, this user doesn't have an entry in /usr/passwd.  This user is authenticated via NIS.
 
Is this error a result of the /etc/pam.d/crond file?  If so, how do I tell PAM to check NIS too?

Thanks,
Aaron
 
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Thorsten Kukuk | 28 Jun 2006 16:17
Picon

Linux-PAM 0.99.5.0 released


Hello,

The Linux-PAM developement team is pleased to announce the release
of version 0.99.5.0.

This time there are again a lot of changes. In short, we have now
manual pages for nearly all PAM functions and modules and have two new
PAM modules: pam_keyinit and pam_namespace.
We declare the old pam_rhosts_auth module for deprecated, instead there
is a new pam_rhosts module, which uses the rootok() functions from libc.
Since the old module was a modified copy of the rootok() function from
BSD, the advantage is that we support now IPv6, too, and don't need to
care about porting security fix. We are not sure if the old code is really
uptodate and contains all security fixes. I even doubt that.

Release 0.99.5.0

* pam_tally: Fix support for large UIDs
* Fixed all problems found by Coverity
* Add support for Intel C Compiler
* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
  pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
  pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
  pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
  pam_time, pam_limits, pam_debug, pam_tally
* The libpam memory debug code was removed
* pam_keyinit: New module to initialise kernel session keyring.
* pam_namespace: New module to configure private namespace for a session.
* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
* pam_rhosts_auth: This module is now deprecated.

 Your Linux-PAM development team

--

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk <at> suse.de
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = 8C6B FD92 EE0F 42ED F91A  6A73 6D1A 7F05 2E59 24BB
Permalink | Reply | 1 comment |
headers
Frank Y.F. Luo | 28 Jun 2006 16:30

compiling under solaris

I need to port pam_mkhome module to solaris, so first I have to make 
sure it  compiles under solaris,

so I did nothing but unzip, configure, make, then errors here:

...
make[2]: Entering directory 
`/export/home/l/lu/luoy/project/sun-pam/Linux-PAM-0.99.4.0/libpam'
if /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. 
-I. -I..    -DDEFAULT_MODULE_PATH=\"/lib/security/\" -DLIBPAM_COMPILE 
-I./include  -DPAM_VERSION=\"0.99.4.0\"  -g -O2 -W -Wall 
-Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-declarations 
-Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes 
-Wwrite-strings -Winline -Wshadow -MT pam_modutil_cleanup.lo -MD -MP -MF 
".deps/pam_modutil_cleanup.Tpo" -c -o pam_modutil_cleanup.lo 
pam_modutil_cleanup.c; \
then mv -f ".deps/pam_modutil_cleanup.Tpo" 
".deps/pam_modutil_cleanup.Plo"; else rm -f 
".deps/pam_modutil_cleanup.Tpo"; exit 1; fi
 gcc -DHAVE_CONFIG_H -I. -I. -I.. 
-DDEFAULT_MODULE_PATH=\"/lib/security/\" -DLIBPAM_COMPILE -I./include 
-DPAM_VERSION=\"0.99.4.0\" -g -O2 -W -Wall -Wbad-function-cast 
-Wcast-align -Wcast-qual -Wmissing-declarations -Wmissing-prototypes 
-Wpointer-arith -Wreturn-type -Wstrict-prototypes -Wwrite-strings 
-Winline -Wshadow -MT pam_modutil_cleanup.lo -MD -MP -MF 
.deps/pam_modutil_cleanup.Tpo -c pam_modutil_cleanup.c  -fPIC -DPIC -o 
.libs/pam_modutil_cleanup.o
In file included from pam_modutil_private.h:14,
                 from pam_modutil_cleanup.c:7:
./include/security/pam_modutil.h:31: error: parse error before "gid_t"
./include/security/pam_modutil.h:31: warning: function declaration isn't 
a prototype
./include/security/pam_modutil.h:44: error: parse error before "gid_t"
./include/security/pam_modutil.h:44: warning: function declaration isn't 
a prototype
./include/security/pam_modutil.h:54: error: parse error before "gid_t"
./include/security/pam_modutil.h:54: warning: function declaration isn't 
a prototype
make[2]: *** [pam_modutil_cleanup.lo] Error 1
make[2]: Leaving directory 
`/export/home/l/lu/luoy/project/sun-pam/Linux-PAM-0.99.4.0/libpam'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory 
`/export/home/l/lu/luoy/project/sun-pam/Linux-PAM-0.99.4.0'
make: *** [all] Error 2

Any idea? Actually any comment about porting pam_mkhome to solaris will 
be welcome.

Thanks.

Frank
Permalink | Reply | 1 comment |
headers
Andreas Schindler | 28 Jun 2006 16:18
Picon

Module Status

Howdy...

i would like to obtain the return status of a perviously called module
inside its successor, e.g. (pam.d/myservice):

	auth    sufficient  pam_winbind.so  unknown_ok
	auth    required    pam_mymodule.so use_first_pass

Here, pam_mymodule would like to know what status pam_winbind returned
to the PAM library. How ?

Thanks!
--

-- 
Dr.-Ing. Andreas Schindler

Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich

Telefon 06103-57187-21
Telefax 06103-373245

schindler <at> az1.de
www.az1.de
Permalink | Reply | 1 comment |

Gmane