[ale] Implmenting PAM
Dan Newcombe
Newcombe at mordor.clayton.edu
Thu Sep 18 23:25:27 EDT 2003
On Thu, 18 Sep 2003, Christopher Fowler wrote:
> 1) Use connects to ssh server.
> 2) Is user in /etc/passwd
> Yes: Goto end
> No: 3) Is use in RADIUS Server
> Yes: Goto End
> No: 4) Is user in TACAS+ Server
> Yes: Goto End
> No: 5) Last try for LDAP
> Yes: Goto End
> No: "Unknown User"
Yes...you can chain modules together. There is the noticn of required and
sufficient. In the above, you'd put them in the order you want with each
one being *sufficient* to allow access. So as soon as one is found you're
good to go. If the module is required, then it's condition must be
met...is it is required to be in /etc/passwd, but sufficient if they are
in either radius or ldap.
Ad as you said in another post, half the pam modules are half-assed. But
the source is usually there. I've had to modify one or two in the past.
Overall it's a nice system. At least it works on Linux...it bites on HPUX
(at least that's been my opinion).
More information about the Ale
mailing list