PAM Service Name Patch
Andrew Morgan
morgan at transmeta.com
Sat Feb 24 05:20:27 EST 2001
Other ways of achieving the same ends:
Before leaving Sun, Vipin (one of the original PAM RFC authors) proposed
a more elaborate method for specifying the configuration syntax in the
PAM configuration file(s). The Linux-PAM implementation supports this
syntax. It allows for authentication trees like this:
pam_listfile 'succeed if the PAM_USER is on this list'
`-failure
`-pam_unix
`-success
`-pam_otp
The trees can get quite elaborate, and can involve forward jumps to
support switch/case types of branching.
Additionally, there is the pam_stack.so idea that the Redhat folk ship
with their repackaging of the Linux-PAM distribution. One might imagine
writing a module of this sort that could conditionally invoke different
service names depending on context (username/remote host etc.).
Cheers
Andrew
Christer Bernerus wrote:
>
> What I, as a sysadmin would like to see is the possibility of not only
> having different service names for different programs, but also have them
> different depending on authentication method.
>
> One reason for this is that I would like to control who logs on to which
> machine, and *how*. Using passwords and using e.g. kerberos or AFS ticket
> transfers have results in different security exposures in the light of
> trojan horses, or user population on the machines.
>
> Consider the situation of university teachers logging in to student machines.
> In that case, we wouldn't like them to give their passwords, regardless of
> whether the passwords are encrypted in transfer or not. However doing Kerb5
> ticket transfers probably is a different story since these tickets have
> time limits on their validity, something that passwords generally don't have,
> or at least have much longer validity.
>
> If there were an OTP password authentication method, there would be yet another
> method that would represent a different security risk, and could call for
> another policy vs who may log on. PAM is a good framework that not only can
> be used for selecting authentication policies, but also can be used for
> controlling authorization policy, regardless of the method of authentication.
>
> One way of enabling that kind of authz policy-making is to have different
> PAM service names for different authn-methods.
>
> Please forgive me if this have been discussed before. I'm new to this list.
> In that case, I'd be interested looking at som archived mail if available.
>
> Chris.
>
> <bernerus at cs.chalmers.se>
More information about the openssh-unix-dev
mailing list