From: Harold Martin (cocoadevearthlink.net)
Date: Wed Oct 22 2003 - 11:27:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-10-22 at 08:40, Joe Lewis wrote:
> Harold Martin wrote:
> >>The module you are looking for sounds like you
> >>are trying to perform a "allow unless the passwords don't match" thing,
> >>rather than a "allow if the passwords match".
> >
> > Not really sure what you mean there. The logic is something like
> >
> > if (user_exists) {
> > if (password_is_correct) {
> > login;
> > }
> > else {
> > error;
> > }
> > }
> > else {
> > if (login_is_local) {
> > create_user;
> > login;
> > }
> > else {
> > error;
> > }
> > }
>
> Good re-state using pseudo-code.
> >>If hardened, and power cycled, do the accounts disappear?
> >
> > No, why would they?
>
> Because the accounts weren't hardened with the core system. You'd have
> to have a persistent form of storing the accounts from powercycle to
> powercycle - either that or a really trustworthy ups.
I've really lost you here.
My idea is jsut to copy a template account for the new user.
This would then be all on the HD, right?
> >> How do you verify that a user (even if the account hasn't been
> >>created) is allowed to connect, even if the account isn't created?
> >
> > Didn't think of that one, hence the login_is_local stuff above.
> > Of course I don't know if testing if the login_is_local is possible.
> > Refer to my first two statements in this email.
>
> You can indeed test if the login is local, but to test that, there's got
> to be a method or a criteria for determining "local" vs. not. Perhaps
> you're looking for something that sets the password the first time
> someone logs in?
For my purposes, local=someone typing on the physically attached
keybaord and getting feedback through the physically attached display.

Let me know what you think...

Thanks a ton,
Harold

> >>If you need a customized pam_module, any number of these guys around the
> >>list will be able to help. I had to port the pam_mysql from Linux to
> >>BSD, so I'm also able to help.
> >
> > Thanks a whole lot. :-D
> >
> > I noticed you didn't cc your last email to the list, so I'm not cc'ing
> > this either...
>
> That was my mistake.
>
> > Thanks,
> > Harold
> >
> >
> >>Harold Martin wrote:
> >>
> >>>On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:
> >>>
> >>>
> >>>>Yes, though I'd have no clue as to why. The whole intent of PAM is to
> >>>>make the security of a device more easily configurable, and just opening
> >>>>the door for users to log in with a new user ID opens a LOT of security
> >>>>holes.
> >>>
> >>>
> >>>I'm open to suggestions (besides creating a special user to create
> >>>users, which I've already ruled out).
> >>>
> >>>I'm putting it out as a system where there will be a limited set of
> >>>people who will be allowed to access it. The computer itself will be
> >>>hardened. The only apps that will be availible to users will be email,
> >>>web, and cards (basically). Certainly no console access.
> >>>I realize that with enough effort those outside of my given range of
> >>>users could login. That it could be used for cracking. That users could
> >>>bumble around and create 100 accounts for themselves.
> >>>(The latter being the worst of my fears ;) )
> >>>But I have yet to see a better way...
> >>>
> >>>
> >>>
> >>>>If you have programming
> >>>>skills, you can create a module that catches the pam_sm_authenticate
> >>>>function, checks for the user, and if not found, creates the user and
> >>>>returns success.
> >>>
> >>>
> >>>I really don't have enough skills with PAM in specific (or C in general).
> >>>And this system is supposed to be availible soon, so I really dn't have
> >>>time to learn :(
> >>>If someone wants to mentor me in programming such a module, I'd be
> >>>extremly appreciative.
> >>>
> >>>Harold
> >>>
> >>>
> >>>
> >>>
> >>>>>Is there any way I can use PAM to dynamically create a users, if the
> >>>>>username doesn't exist?
> >>>>>I've looked at creating a user whose sole purpose is to create users,
> >>>>>but I don't want to do that.
> >>>>>
> >>>>>How can I get something like this working?
> >>>>>
> >>>>>Thanks,
> >>>>>Harold
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>Pam-list mailing list
> >>>>>Pam-listredhat.com
> >>>>>https://www.redhat.com/mailman/listinfo/pam-list
> >>>>
> >
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]