|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On 12.11.2008 5:18, Jesse Zbikowski wrote:
Thus your scheme is vulnerable in that respect. Rework it. Read pam.conf manual and look for extended syntax there.This issue was raised a couple of times this spring without response. I would like to know, if there is more than one path for authorization in the PAM stack, which one actually succeeded. For example, say I have a PAM configuration file like this: auth sufficient pam_first.so auth sufficient pam_second.so acct sufficient pam_first.so acct sufficient pam_second.so The behavior I want is: whichever module succeeds for authorization, use the same module when the application makes an accouting request. The module pam_tacplus.so is "well-behaved" in this regard, in that acct will not succeed unless auth already did. pam_radius_auth.so however, at least in my configuration, it is happy to succeed in the acct request after a different module handled the auth request, which breaks my scheme.
Yes, that's possible, but such a module would be hardly dependent on PAM internals that can be changed without notice with each PAM release.If it is not possible to get this behavior from PAM out of the box, would it make sense to write a custom PAM module to handle this logic? That is, my module would internally call pam_authenticate() / pam_acct_mgmt() on other PAM services, according to my specifications.
PAM was developed with application independence on authentication methods and their order in mind, so that is generally impossible. If your application is dependent on modules used and/or their order, it is broken in that respect.With reference to the original posts on this topic: right now I would be if my application could figure out whether it was pam_first.so or pam_second.so which succeeded, perhaps via pam_get_item()
-- Sincerely Your, Dan. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list