PAM Service Name Patch

Christer Bernerus bernerus at cs.chalmers.se
Fri Feb 23 19:48:16 EST 2001


What I, as a sysadmin would like to see is the possibility of not only
having different service names for different programs, but also have them
different depending on authentication method.

One reason for this is that I would like to control who logs on to which
machine, and *how*. Using passwords and using e.g. kerberos or AFS ticket
transfers have results in different security exposures in the light of
trojan horses, or user population on the machines.

Consider the situation of university teachers logging in to student machines.
In that case, we wouldn't like them to give their passwords, regardless of
whether the passwords are encrypted in transfer or not. However doing Kerb5
ticket transfers probably is a different story since these tickets have
time limits on their validity, something that passwords generally don't have,
or at least have much longer validity.

If there were an OTP password authentication method, there would be yet another
method that would represent a different security risk, and could call for 
another policy vs who may log on. PAM is a good framework that not only can
be used for selecting authentication policies, but also can be used for
controlling authorization policy, regardless of the method of authentication.

One way of enabling that kind of authz policy-making is to have different
PAM service names for different authn-methods.

Please forgive me if this have been discussed before. I'm new to this list.
In that case, I'd be interested looking at som archived mail if available.


Chris.

<bernerus at cs.chalmers.se>





More information about the openssh-unix-dev mailing list