[ale] Implmenting PAM

Christopher Fowler cfowler at outpostsentinel.com
Thu Sep 18 22:16:58 EDT 2003


On Thu, Sep 18, 2003 at 10:05:35PM -0400, Transam wrote:
> Please do post what you learn!

So far I've learned that even though my method of replacing the
glibc functions requierd much work it may be better than having to
deal with the PAM stuff.  Every PAM module I have will require mods
anyway. I've modifed the passwd structure so anything returning
such a structure requires modifications.  It seems that each module
calims tey support feature X, it is only a small feature and not
full support.  I may not even implement.  

The whole reason I modified getpwXXX() was so the actual authentication
layer was transparent to the application.  For example SSH calles getpwname()
and if the user does not exist in flash and RADIUS is turned on then getpwname()calls getradname().  SSH never even sees the call to RADIUS.  I know
that PAM supports abstractions like this but we need it to check
each method that may be enabled before decalring an invalid
user.  This feature may require mods to PAM.  


> 
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> On Thu, Sep 18, 2003 at 01:02:21PM -0400, Christopher Fowler wrote:
> > 
> > 
> > I'm looking at implmenting PAM do do some custom 
> > authentication stuff.  I know you can tell PAM to authenticate
> > certain applications with certain method but is there
> > a way to tell PAM to try many.
> > 
> > 
> > 1) Use connects to ssh server.
> > 2) Is user in /etc/passwd
> >    Yes:  Goto end
> >    No: 3) Is use in RADIUS Server
> >         Yes: Goto End
> >         No: 4) Is user in TACAS+ Server
> >             Yes: Goto End
> >             No: 5) Last try for LDAP
> >                 Yes: Goto End
> >                 No: "Unknown User"
> > 
> > END:
> >   User Authenticated.
> > 
> > 
> > 
> > In ourder to support our ACL's I'm going to
> > have to modify each of the above PAM modules to
> > support ACL's
> > 
> > Chris
> > 
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list