PAM Service Name Patch

Andrew Morgan morgan at transmeta.com
Sat Feb 24 05:20:27 EST 2001 

Other ways of achieving the same ends:

Before leaving Sun, Vipin (one of the original PAM RFC authors) proposed
a more elaborate method for specifying the configuration syntax in the
PAM configuration file(s). The Linux-PAM implementation supports this
syntax. It allows for authentication trees like this:

  pam_listfile 'succeed if the PAM_USER is on this list'
  `-failure
       `-pam_unix
  `-success
       `-pam_otp

The trees can get quite elaborate, and can involve forward jumps to
support switch/case types of branching.

Additionally, there is the pam_stack.so idea that the Redhat folk ship
with their repackaging of the Linux-PAM distribution. One might imagine
writing a module of this sort that could conditionally invoke different
service names depending on context (username/remote host etc.).

Cheers

Andrew

Christer Bernerus wrote:
> 
> What I, as a sysadmin would like to see is the possibility of not only
> having different service names for different programs, but also have them
> different depending on authentication method.
> 
> One reason for this is that I would like to control who logs on to which
> machine, and *how*. Using passwords and using e.g. kerberos or AFS ticket
> transfers have results in different security exposures in the light of
> trojan horses, or user population on the machines.
> 
> Consider the situation of university teachers logging in to student machines.
> In that case, we wouldn't like them to give their passwords, regardless of
> whether the passwords are encrypted in transfer or not. However doing Kerb5
> ticket transfers probably is a different story since these tickets have
> time limits on their validity, something that passwords generally don't have,
> or at least have much longer validity.
> 
> If there were an OTP password authentication method, there would be yet another
> method that would represent a different security risk, and could call for
> another policy vs who may log on. PAM is a good framework that not only can
> be used for selecting authentication policies, but also can be used for
> controlling authorization policy, regardless of the method of authentication.
> 
> One way of enabling that kind of authz policy-making is to have different
> PAM service names for different authn-methods.
> 
> Please forgive me if this have been discussed before. I'm new to this list.
> In that case, I'd be interested looking at som archived mail if available.
> 
> Chris.
> 
> <bernerus at cs.chalmers.se>

More information about the openssh-unix-dev mailing list