Lynn York | 4 Nov 18:06 2008
Picon

PAM auth via network

Is there a way to having the pam_ldap module only authenticate users from a certain network?

 

Thanks,

 

Lynn

Attachment (smime.p7s): application/x-pkcs7-signature, 4653 bytes
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
athul ss | 5 Nov 12:39 2008
Picon

source code for pam_securid

Hi,

Can anyone point me to source code for pam_securid.so module . The link provided in the archives is not working now.

Thanks,
Athul

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Jesse Zbikowski | 12 Nov 03:18 2008
Picon

Revisited: how to get 'auth' result?

This issue was raised a couple of times this spring without response.
I would like to know, if there is more than one path for
authorization in the PAM stack, which one actually succeeded.  For
example, say I have a PAM configuration file like this:

auth sufficient pam_first.so
auth sufficient pam_second.so
acct sufficient pam_first.so
acct sufficient pam_second.so

The behavior I want is: whichever module succeeds for authorization,
use the same module when the application makes an accouting request.

The module pam_tacplus.so is "well-behaved" in this regard, in that
acct will not succeed unless auth already did.  pam_radius_auth.so
however, at least in my configuration, it is happy to succeed in the
acct request after a different module handled the auth request, which
breaks my scheme.

If it is not possible to get this behavior from PAM out of the box,
would it make sense to write a custom PAM module to handle this logic?
That is, my module would internally call pam_authenticate() /
pam_acct_mgmt() on other PAM services, according to my specifications.

With reference to the original posts on this topic: right now I would
be if my application could figure out whether it was pam_first.so or
pam_second.so which succeeded, perhaps via pam_get_item()

https://www.redhat.com/archives/pam-list/2008-June/msg00000.html
https://www.redhat.com/archives/pam-list/2008-May/msg00003.html
Dan Yefimov | 12 Nov 16:28 2008
Picon

Re: Revisited: how to get 'auth' result?

On 12.11.2008 5:18, Jesse Zbikowski wrote:
> This issue was raised a couple of times this spring without response.
> I would like to know, if there is more than one path for
> authorization in the PAM stack, which one actually succeeded.  For
> example, say I have a PAM configuration file like this:
>
> auth sufficient pam_first.so
> auth sufficient pam_second.so
> acct sufficient pam_first.so
> acct sufficient pam_second.so
>
> The behavior I want is: whichever module succeeds for authorization,
> use the same module when the application makes an accouting request.
>
> The module pam_tacplus.so is "well-behaved" in this regard, in that
> acct will not succeed unless auth already did.  pam_radius_auth.so
> however, at least in my configuration, it is happy to succeed in the
> acct request after a different module handled the auth request, which
> breaks my scheme.
>
Thus your scheme is vulnerable in that respect. Rework it. Read pam.conf manual 
and look for extended syntax there.

> If it is not possible to get this behavior from PAM out of the box,
> would it make sense to write a custom PAM module to handle this logic?
> That is, my module would internally call pam_authenticate() /
> pam_acct_mgmt() on other PAM services, according to my specifications.
>
Yes, that's possible, but such a module would be hardly dependent on PAM 
internals that can be changed without notice with each PAM release.

> With reference to the original posts on this topic: right now I would
> be if my application could figure out whether it was pam_first.so or
> pam_second.so which succeeded, perhaps via pam_get_item()
>
PAM was developed with application independence on authentication methods and 
their order in mind, so that is generally impossible. If your application is 
dependent on modules used and/or their order, it is broken in that respect.
--

-- 

Sincerely Your, Dan.
Jesse Zbikowski | 13 Nov 02:42 2008
Picon

Re: Revisited: how to get 'auth' result?

Dan, thanks for your comments.

On Wed, Nov 12, 2008 at 7:28 AM, Dan Yefimov <dan <at> nf15.lightwave.net.ru> wrote:
> On 12.11.2008 5:18, Jesse Zbikowski wrote:
>> pam_radius_auth.so
>> however, at least in my configuration, it is happy to succeed in the
>> acct request after a different module handled the auth request, which
>> breaks my scheme.
>>
> Thus your scheme is vulnerable in that respect. Rework it. Read pam.conf
> manual and look for extended syntax there.

Unfortunately I think that the advanced syntax does not help me here.
I was looking for a way to preserve state between the application
invoking the auth clause and the acct clause.  For instance:

if (auth sufficient pam_first.so) {
    acct sufficient pam_first.so
} elsif (auth sufficient pam_second.so) {
    acct sufficient pam_second.so
}

It looks like this is outside the scope of what pam.conf can express.

>> my module would internally call pam_authenticate() /
>> pam_acct_mgmt() on other PAM services, according to my specifications.
>>
> Yes, that's possible, but such a module would be hardly dependent on PAM
> internals that can be changed without notice with each PAM release.

If I understand correctly these functions are part of the PAM public
API, so my module should not break any more often than a normal
PAM-aware application.

> If your
> application is dependent on modules used and/or their order, it is broken in
> that respect.

It is non-standard because I want the PAM stack to determine the user
credentials (e.g. group membership) rather than the application,
perhaps based on which modules succeed.  From man 3 pam_setcred() I
infer that this is not the "PAM" way of doing things -- the
application is supposed to get group membership from "somewhere else".
 So I would have to put in a hack to pass group info from my custom
PAM module to the application.  I could override one of the
pam_get_item(3) items which I am not using, e.g. use PAM_RHOST to
store the group name.
Jason Spiro | 13 Nov 10:30 2008
Picon

Re: pam_env: per-user environment file?

A year ago -- in http://thread.gmane.org/gmane.linux.pam/3056 -- Kees Cook <kees
<at> ubuntu.com> wrote:
> 
> Ubuntu has been carrying a patch against PAM to have a ~/.pam_environment
> file that is parsed for each user (which allows a way to set environment
> variables without regard to how a user logs in (ssh, gdm, etc)).
> 
> I've included the patch below.  Is this something that would be
> accepted into mainline PAM?
> 
Dear PAM maintainers:

I, too, would like the patch to be accepted into mainline PAM.  I forwarded the
patch to
http://sf.net/tracker/?func=detail&aid=2275405&group_id=6663&atid=306663
-- could you folks please review it and comment on it at that URL?

P.S.  Thanks for maintaining PAM.  I rely on it every day, and it has never let
me down.
Dan Yefimov | 13 Nov 12:18 2008
Picon

Re: Revisited: how to get 'auth' result?

On 13.11.2008 4:42, Jesse Zbikowski wrote:
> Dan, thanks for your comments.
>
> On Wed, Nov 12, 2008 at 7:28 AM, Dan Yefimov<dan <at> nf15.lightwave.net.ru>  wrote:
>> On 12.11.2008 5:18, Jesse Zbikowski wrote:
>>> pam_radius_auth.so
>>> however, at least in my configuration, it is happy to succeed in the
>>> acct request after a different module handled the auth request, which
>>> breaks my scheme.
>>>
>> Thus your scheme is vulnerable in that respect. Rework it. Read pam.conf
>> manual and look for extended syntax there.
>
> Unfortunately I think that the advanced syntax does not help me here.
> I was looking for a way to preserve state between the application
> invoking the auth clause and the acct clause.  For instance:
>
> if (auth sufficient pam_first.so) {
>      acct sufficient pam_first.so
> } elsif (auth sufficient pam_second.so) {
>      acct sufficient pam_second.so
> }
>
> It looks like this is outside the scope of what pam.conf can express.
>
In fact. The extended syntax only allows every module to process account stage 
while not terminating the stack on some one error. Does it matter if all modules 
process the account stage along with one which authenticated the user?

>>> my module would internally call pam_authenticate() /
>>> pam_acct_mgmt() on other PAM services, according to my specifications.
>>>
>> Yes, that's possible, but such a module would be hardly dependent on PAM
>> internals that can be changed without notice with each PAM release.
>
> If I understand correctly these functions are part of the PAM public
> API, so my module should not break any more often than a normal
> PAM-aware application.
>
You forget about reentrancy problems here. PAM functions are not reentrant.

>> If your
>> application is dependent on modules used and/or their order, it is broken in
>> that respect.
>
> It is non-standard because I want the PAM stack to determine the user
> credentials (e.g. group membership) rather than the application,
> perhaps based on which modules succeed.  From man 3 pam_setcred() I
> infer that this is not the "PAM" way of doing things -- the
> application is supposed to get group membership from "somewhere else".
>   So I would have to put in a hack to pass group info from my custom
> PAM module to the application.  I could override one of the
> pam_get_item(3) items which I am not using, e.g. use PAM_RHOST to
> store the group name.
>
Don't overcomplicate. Group membership information can be determined not from 
"somewhere else", but from getgrent() function family, which rely on NSS. IOW, 
you need NSS module complementary to your PAM one. PAM is responsible only for 
authentication and authorization.
--

-- 

Sincerely Your, Dan.
Thorsten Kukuk | 17 Nov 14:00 2008
Picon

Re: pam_env: per-user environment file?

On Thu, Nov 13, Jason Spiro wrote:

> A year ago -- in http://thread.gmane.org/gmane.linux.pam/3056 -- Kees Cook <kees
> <at> ubuntu.com> wrote:
> > 
> > Ubuntu has been carrying a patch against PAM to have a ~/.pam_environment
> > file that is parsed for each user (which allows a way to set environment
> > variables without regard to how a user logs in (ssh, gdm, etc)).
> > 
> > I've included the patch below.  Is this something that would be
> > accepted into mainline PAM?
> > 
> Dear PAM maintainers:
> 
> I, too, would like the patch to be accepted into mainline PAM.  I forwarded the
> patch to
> http://sf.net/tracker/?func=detail&aid=2275405&group_id=6663&atid=306663
> -- could you folks please review it and comment on it at that URL?

I looked at it, and it is full of bugs and memory leaks ...

Will try to rewrite it.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Jozsef Kadlecsik | 17 Nov 15:28 2008
Picon

PAM and NSS for clusters

Hello,

In order to store users in alternate passwd, shadow and group files I have 
written some patches over Linux PAM 1.0.2 and an NSS module.

With these packages one can store the passwd, shadow and group files for 
the cluster users over GFS/OCFS2/Lustre/etc. We have been using such a 
setup for more than half a year in production. If somebody is interested 
in, the patches, sources and the installation, configuration descriptions 
are available at

http://www.kfki.hu/~kadlec/sw/cluster/

The PAM patches fix some bugs and add new features too:

- By default Linux PAM links with libxcrypt instead of libcrypt from 
  glibc. However the source files include crypt.h and not xcrypt.h, thus 
  the functions from libcrypt is used in spite of linking with libxcrypt. 
- Simplify source when a function is used both in the pam_unix module and 
  in the helper binaries. 
- Linux PAM can check blowfish encrypted passwords (if the crypto library 
  supports it), however it did not support new passwords to be encrypted 
  by blowfish. One patch adds full blowfish support (and "blowfish" 
  keyword) to pam_unix. 
-  <at> include keyword support (for Debian/Ubuntu).

Best regards,
Jozsef

-
E-mail  : kadlec <at> blackhole.kfki.hu, kadlec <at> mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Julián de Navascués | 20 Nov 20:09 2008
Picon

Altering entered PAM username

Hi all,

I wonder if it's possible to change the username inside a PAM auth module. I would like to do something like login with a user "guest" and map it to a real unix user account, for example "real_user" (like a switch user command, "su real_user")...

I have tried something like this:

int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
{

int retval = pam_set_item(pamh, PAM_USER, "real_user");

return PAM_SUCCESS;

}
Using this auth module with a ssh server I would expect to login as "real_user" and see a prompt like real_user <at> machine$ and /home/real_user as the working directory... but it does not and logs that "guest" is not a valid unix user on the machine.

I would like to know what else is needed to map users...

Thank for your help




_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Gmane