From: Joe Lewis (joerelia.net)
Date: Wed Oct 22 2003 - 12:00:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Harold Martin wrote:

>>Harold Martin wrote:
>>>>If hardened, and power cycled, do the accounts disappear?
>>>
>>>No, why would they?
>>
>>Because the accounts weren't hardened with the core system. You'd have
>>to have a persistent form of storing the accounts from powercycle to
>>powercycle - either that or a really trustworthy ups.
>
> I've really lost you here.
> My idea is jsut to copy a template account for the new user.
> This would then be all on the HD, right?

So, the accounts are not really "hardened", then, just put on a hard
drive. I understand.

> For my purposes, local=someone typing on the physically attached
> keybaord and getting feedback through the physically attached display.

A simple module would suffice using the pseudo-code you already wrote,
and then put it in the login.conf file in /etc/pam.d. Nothing else will
use the module to authenticate (ssh/telnet/mail), only a console text
login (X windows might need one, too, if you want to allow that, by
putting a reference to the module in the /etc/pam.d/[gkx]dm.conf files
(depends on if you are using gnome, kde, or regular X) for the login and
xscreensaver.conf for handling the screen savers.

Joe

> Thanks a ton,
> Harold
>
>
>>>>If you need a customized pam_module, any number of these guys around the
>>>>list will be able to help. I had to port the pam_mysql from Linux to
>>>>BSD, so I'm also able to help.
>>>
>>>Thanks a whole lot. :-D
>>>
>>>I noticed you didn't cc your last email to the list, so I'm not cc'ing
>>>this either...
>>
>>That was my mistake.
>>
>>
>>>Thanks,
>>>Harold
>>>
>>>
>>>
>>>>Harold Martin wrote:
>>>>
>>>>
>>>>>On Tue, 2003-10-21 at 14:01, Joe Lewis wrote:
>>>>>
>>>>>
>>>>>
>>>>>>Yes, though I'd have no clue as to why. The whole intent of PAM is to
>>>>>>make the security of a device more easily configurable, and just opening
>>>>>>the door for users to log in with a new user ID opens a LOT of security
>>>>>>holes.
>>>>>
>>>>>
>>>>>I'm open to suggestions (besides creating a special user to create
>>>>>users, which I've already ruled out).
>>>>>
>>>>>I'm putting it out as a system where there will be a limited set of
>>>>>people who will be allowed to access it. The computer itself will be
>>>>>hardened. The only apps that will be availible to users will be email,
>>>>>web, and cards (basically). Certainly no console access.
>>>>>I realize that with enough effort those outside of my given range of
>>>>>users could login. That it could be used for cracking. That users could
>>>>>bumble around and create 100 accounts for themselves.
>>>>>(The latter being the worst of my fears ;) )
>>>>>But I have yet to see a better way...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>If you have programming
>>>>>>skills, you can create a module that catches the pam_sm_authenticate
>>>>>>function, checks for the user, and if not found, creates the user and
>>>>>>returns success.
>>>>>
>>>>>
>>>>>I really don't have enough skills with PAM in specific (or C in general).
>>>>>And this system is supposed to be availible soon, so I really dn't have
>>>>>time to learn :(
>>>>>If someone wants to mentor me in programming such a module, I'd be
>>>>>extremly appreciative.
>>>>>
>>>>>Harold
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>Is there any way I can use PAM to dynamically create a users, if the
>>>>>>>username doesn't exist?
>>>>>>>I've looked at creating a user whose sole purpose is to create users,
>>>>>>>but I don't want to do that.
>>>>>>>
>>>>>>>How can I get something like this working?
>>>>>>>
>>>>>>>Thanks,
>>>>>>>Harold
>>>>>>>
>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>Pam-list mailing list
>>>>>>>Pam-listredhat.com
>>>>>>>https://www.redhat.com/mailman/listinfo/pam-list
>>>>>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-listredhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>
>

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]