account section for disconnected auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[pam-0.99.6.0]

Hi all,

I'm trying to come up with a good account section for systems operating
under "disconnected auth", that is, network auth when there is no
network or the server went away.

I'm testing for now with nss info in ldap and kerberos auth (pam_krb5).  For
the nss part I'm using nss_db + nss_updatedb. This means that using
"user_unknown=ignore" like shown below doesn't work as intended, because the
user *is* known (but not listed in /etc/passwd or shadow):

account     [user_unknown=ignore default=done] pam_unix.so
account     [authinfo_unavail=ignore default=done] pam_krb5.so
account     required       pam_permit.so

With the above setup, pam_unix fails. It seems the only way to make this work
is to either add "authinfo_unavail=ignore" or "broken_shadow" to pam_unix, like
this:

account     [user_unknown=ignore default=done] pam_unix.so broken_shadow
account     [authinfo_unavail=ignore default=done] pam_krb5.so
account     required       pam_permit.so

or

account     [user_unknown=ignore authinfo_unavail=ignoredefault=done] pam_unix.so 
account     [authinfo_unavail=ignore default=done] pam_krb5.so
account     required       pam_permit.so

I also thought about making pam_unix "sufficient", but this would make it
possible for local users to bypass authorization rules, no?

Any thoughts? Thanks in advance.

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux