incomplete/insufficient logic for making access decisions
fcusack at fcusack.com
Sun Mar 24 02:22:00 EST 2002
On Fri, Mar 22, 2002 at 10:41:12AM -0800, Darren J Moffat wrote:
> On Mon, 18 Mar 2002, Frank Cusack wrote:
> > I'd agree, this sounds like a reasonable (possibly even good) thing to do.
> > You'd have to delay PAM startup until a non-PAM auth started (if you used
> > PAM auth you'd have to end it and restart it -- ugly and not worthwhile).
> > Something like
> > # Account service to use for non-PAM authentication. When using
> > # PAM auth, this is always "sshd". When using non-PAM auth (eg rsa)
> > # the configured service name is used. Can contain %a which is
> > # substituted with the auth type. Default is "sshd".
> > PAMAcctService sshd
> I very strongly disagree with this. As one of the "keepers" of PAM
> at Sun (the original author) this is the wrong thing to do. Doing this
> increases the complexity of the administration.
> There is a better mechanism for doing this in Solaris but it is not yet
> public - we are in the process of doing this just now. I believe it
> solves the issue.
It may be the wrong thing, but PAM currently offers no other way to do it.
I was actually thinking to suggest setting something in appdata but then
every PAM module has to know about it. Of course if you can correct me
here I would love to know how to do this some better way.
The most portable mechanism is using a different service name. And it's
not so unwieldy, I don't think.
More information about the openssh-unix-dev