headers
Alessandro Bottoni | 16 Feb 2010 10:46
Picon
Favicon

Per-User Authentication with Linux PAM?

Hi All,
I'm looking for a way (a module, a technique) to perform the usual
(local) Linux-PAM authentication on a per-user basis. That is: I need to
have a different authentication stack for each user of a Linux machine.

Googling around, I found this very interesting "pam_per_user" module:

http://www-dev.cites.uiuc.edu/pam/

http://www.feep.net/PAM/pam_per_user/

Created by Mark D. Roth in 2002.

I tried to compile and install it on my Linux Mint 8.0 machine but
apparently the code is so old that the compiler is unable to compile it.
BTW: I have got this error:

alex <at> alex-laptop /media/Shared/Sources/pam_per_user-0.4 $ make
gcc    -o pam_per_user.so.1 pam_per_user.o strlcpy.o -lpam -ldl
/usr/lib/gcc/i486-linux-gnu/4.4.1/../../../../lib/crt1.o: In function
`_start':
/build/buildd/eglibc-2.10.1/csu/../sysdeps/i386/elf/start.S:115:
undefined reference to `main'
collect2: ld returned 1 exit status
make: *** [pam_per_user.so.1] Errore 1

Anyway, I'm not interested in fix it at the moment (because a I do not
want a customer-supported solution, if I can avoid it).

Rather, I would like to know if any kind of per-user authentication
(Continue reading)

Permalink | Reply | 8 comments |
headers
cordier | 16 Feb 2010 10:55

Vacances

Bonjour,
Je suis absent jusqu'au 22/2.
En cas d'urgence merci de contacter le helpdesk.
helpdesk <at> dupuis.com

Gilles Cordier

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Permalink | Reply | 0 comments |
headers
Marc Weber | 16 Feb 2010 22:20
Picon
Picon

Re: Per-User Authentication with Linux PAM?

Hi Alex,

Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
> Hi All,
> I'm looking for a way (a module, a technique) to perform the usual
> (local) Linux-PAM authentication on a per-user basis. That is: I need to
> have a different authentication stack for each user of a Linux machine.
Maybe you should talk about the real problem you're trying to solve as
well. Maybe there is another simple solution to get your job done?

Marc Weber
Permalink | Reply | 6 comments |
headers
Alessandro Bottoni | 17 Feb 2010 09:17
Picon
Favicon

Re: Per-User Authentication with Linux PAM?

Il 16/02/2010 22:20, Marc Weber ha scritto:
> Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
>> Hi All,
>> I'm looking for a way (a module, a technique) to perform the usual
>> (local) Linux-PAM authentication on a per-user basis. That is: I need to
>> have a different authentication stack for each user of a Linux machine.
> Maybe you should talk about the real problem you're trying to solve as
> well. Maybe there is another simple solution to get your job done?

Hi Marc,
well, actually, I'm trying to answer a quite strange request in the most
elegant way I can.

I have to configure a Ubuntu server in such a way that two different
users will be able to authenticate in the following two different ways.

1) A "local" user should be able to authenticate at the local/physical
console using a two-factors scheme based on pam_usb (username, password
and a USB flash memory). The USB flash memory will be used as a cheap ID
token.

2) A "remote" user should be able to authenticate via Internet (via
telnet/ssh or even via VNC/NX) using a two-factors scheme based on
pam_obc (username, password and a one-time password sent to the user's
cellphone via SMS using sendEmail and a free email/SMS gateway). That
is: the SIM of the cellphone will be used as a commodity ID token.

(Both users will be sudoers and the root account will be disabled, as
usual on Ubuntu)
(Continue reading)

Permalink | Reply | 5 comments |
headers
Tomas Mraz | 17 Feb 2010 09:49
Picon
Favicon

Re: Per-User Authentication with Linux PAM?

On Wed, 2010-02-17 at 09:17 +0100, Alessandro Bottoni wrote: 
> Il 16/02/2010 22:20, Marc Weber ha scritto:
> > Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
> >> Hi All,
> >> I'm looking for a way (a module, a technique) to perform the usual
> >> (local) Linux-PAM authentication on a per-user basis. That is: I need to
> >> have a different authentication stack for each user of a Linux machine.
> > Maybe you should talk about the real problem you're trying to solve as
> > well. Maybe there is another simple solution to get your job done?
> 
> Hi Marc,
> well, actually, I'm trying to answer a quite strange request in the most
> elegant way I can.
> 
> I have to configure a Ubuntu server in such a way that two different
> users will be able to authenticate in the following two different ways.
> 
> 1) A "local" user should be able to authenticate at the local/physical
> console using a two-factors scheme based on pam_usb (username, password
> and a USB flash memory). The USB flash memory will be used as a cheap ID
> token.
> 
> 2) A "remote" user should be able to authenticate via Internet (via
> telnet/ssh or even via VNC/NX) using a two-factors scheme based on
> pam_obc (username, password and a one-time password sent to the user's
> cellphone via SMS using sendEmail and a free email/SMS gateway). That
> is: the SIM of the cellphone will be used as a commodity ID token.
> 
> (Both users will be sudoers and the root account will be disabled, as
> usual on Ubuntu)
(Continue reading)

Permalink | Reply | 2 comments |
headers
Alessandro Bottoni | 17 Feb 2010 11:17
Picon
Favicon

Re: Per-User Authentication with Linux PAM?

Il 17/02/2010 09:49, Tomas Mraz ha scritto:
>> Maybe it is possible to user either pam_usb or pam_obc on the same user,
>> playing with the order of the configuration lines in the common-auth
>> file and/or with the "controls" ("requisite", "required", "sufficient",
>> "optional", etc.). I did not try yet...
> 
> You can use jumps in the configuration and pam_succeed_if or
> pam_listfile to do the decision. If you had more than two different auth
> stacks required, it would make the configuration really ugly, but for
> just two different stacks it would be manageable.
> 
> Example: 
> auth [success=2 default=ignore] pam_succeed_if.so user in localuser1:localuser2
> auth sufficient pam_remoteauth.so
> auth requisite pam_deny.so
> auth sufficient pam_localauth.so
> auth requisite pam_deny.so
> 
> The success=2 tells the libpam to skip the next two modules if the user
> is not in the local user list (the user is not localuser1 or
> localuser2).

Hi Tomas,
many thanks for your suggestion. It looks like it can solve my problem.
I just have a small doubt...

Did you actually mean: "The success=2 tells the libpam to skip the next
two modules if the user is /in/ the local user list (the user is
/either/ localuser1 /or/ localuser2)."
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tomas Mraz | 17 Feb 2010 11:38
Picon
Favicon

Re: Per-User Authentication with Linux PAM?

On Wed, 2010-02-17 at 11:17 +0100, Alessandro Bottoni wrote: 
> Il 17/02/2010 09:49, Tomas Mraz ha scritto:
> >> Maybe it is possible to user either pam_usb or pam_obc on the same user,
> >> playing with the order of the configuration lines in the common-auth
> >> file and/or with the "controls" ("requisite", "required", "sufficient",
> >> "optional", etc.). I did not try yet...
> > 
> > You can use jumps in the configuration and pam_succeed_if or
> > pam_listfile to do the decision. If you had more than two different auth
> > stacks required, it would make the configuration really ugly, but for
> > just two different stacks it would be manageable.
> > 
> > Example: 
> > auth [success=2 default=ignore] pam_succeed_if.so user in localuser1:localuser2
> > auth sufficient pam_remoteauth.so
> > auth requisite pam_deny.so
> > auth sufficient pam_localauth.so
> > auth requisite pam_deny.so
> > 
> > The success=2 tells the libpam to skip the next two modules if the user
> > is not in the local user list (the user is not localuser1 or
> > localuser2).
> 
> Hi Tomas,
> many thanks for your suggestion. It looks like it can solve my problem.
> I just have a small doubt...
> 
> Did you actually mean: "The success=2 tells the libpam to skip the next
> two modules if the user is /in/ the local user list (the user is
> /either/ localuser1 /or/ localuser2)."
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nick Owen | 17 Feb 2010 14:45
Favicon

Re: Per-User Authentication with Linux PAM?

On Wed, Feb 17, 2010 at 3:17 AM, Alessandro Bottoni <alexbottoni <at> yahoo.it> wrote:
Il 16/02/2010 22:20, Marc Weber ha scritto:
> Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
>> Hi All,
>> I'm looking for a way (a module, a technique) to perform the usual
>> (local) Linux-PAM authentication on a per-user basis. That is: I need to
>> have a different authentication stack for each user of a Linux machine.
> Maybe you should talk about the real problem you're trying to solve as
> well. Maybe there is another simple solution to get your job done?

Hi Marc,
well, actually, I'm trying to answer a quite strange request in the most
elegant way I can.

I have to configure a Ubuntu server in such a way that two different
users will be able to authenticate in the following two different ways.

1) A "local" user should be able to authenticate at the local/physical
console using a two-factors scheme based on pam_usb (username, password
and a USB flash memory). The USB flash memory will be used as a cheap ID
token.

2) A "remote" user should be able to authenticate via Internet (via
telnet/ssh or even via VNC/NX) using a two-factors scheme based on
pam_obc (username, password and a one-time password sent to the user's
cellphone via SMS using sendEmail and a free email/SMS gateway). That
is: the SIM of the cellphone will be used as a commodity ID token.

(Both users will be sudoers and the root account will be disabled, as
usual on Ubuntu)

The customer explicitly asked for a two-factors (password plus physical
element) strong authentication so SSH alone is not enough (at least, as
long as I know). Before falling back to Aladdin's eToken, Yubico's
Yubikey or RSA SecurID I would like to try a cheaper and more manageable
solution based on COTS components (USB keys and GSM cellphones).

To be honest, the "local" and "remote" user could be merged in a single
"generic" profile. We just do not want to send the useless email/SMS
message when the user authenticates locally using the USB key (and, of
course, the system must not ask a remote user for his USB key).

Maybe it is possible to user either pam_usb or pam_obc on the same user,
playing with the order of the configuration lines in the common-auth
file and/or with the "controls" ("requisite", "required", "sufficient",
"optional", etc.). I did not try yet...

Any suggestion?

I may be missing something, but it seems to me that you can set /etc/pam.d/login to use pam_usb and then set /etc/pam.d/sshd to use radius or whatever method you'd like for remote access, correct?
 
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 1 comment |
headers
Alessandro Bottoni | 17 Feb 2010 16:31
Picon
Favicon

Re: Per-User Authentication with Linux PAM?

Il 17/02/2010 14:45, Nick Owen ha scritto:
> I may be missing something, but it seems to me that you can set
> /etc/pam.d/login to use pam_usb and then set /etc/pam.d/sshd to use
> radius or whatever method you'd like for remote access, correct?

Yes, I think you are right.

I could differentiate the kind of authentication to be used on the basis
of the requested service, that is: pam_usb for the local login (/bin/sh)
and pam_obc for the ssh remote access (/usr/bin/ssh). It should work...

This would restrict the remote access to the ssh protocol but this
should not be a real problem because many other services can be
"tunneled" throught ssh anyway (and ssh is much more secure than other,
older protocols like telnet).

Thanks fo having suggested it. I'll try it.

PS: the possibility to have a per-user configuration of PAM, using
pam_per_user or pam_succed_if, is still fascinating and I think I will
investigate it some more in any case. I just saw that FreeBSD supports
pam_per_user in a official way. It is strange that the same module is
not supported by Ubuntu or any other major Linux distro.
--

-- 

Alessandro Bottoni
Website: http://www.alessandrobottoni.it/

"An expert is a man who has made all the mistakes which can be made in a
very narrow field."
     -- Niels Bohr
Permalink | Reply | 0 comments |
headers
Ryan Phillips | 17 Feb 2010 23:08
Gravatar

Clarification of libpam module license

Good Day,

The libpam library package has a dual license structure (BSD and GPL).

What license applies to a custom pam module that is called via pam
from a GPL package?

Regards,
Ryan
Permalink | Reply | 1 comment |

Gmane