OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
pam_userdb patch.

From: Jeremy Warren (sdtjrwyahoo.com)
Date: Tue Sep 26 2006 - 15:18:35 CDT


Hello,

I have created a patch for pam_userdb that I
would like to post for your consideration

We had a situation here where there is a userid
that is shared amongst several people. The
desire was to have unique passwords for each
person, while still allowing them to assume the
same UID when logged in. Traditional SU/SUDO
solutions were not acceptable because the
application needed to interact with xscreensaver
in such a way that if the x interface locked, the
next shift could unlock it with their unique
password.

In addition we needed to generate an audit
message in the logs so that we could say "Bob was
who was logged in as the shared account at that
time".

Simple passwords were deemed sufficient for this
as it's not a particularly sensitive operation.

pam_userdb + key_only works perfectly for this.

I setup a db which contained:
[shared account]-password1
<username1>
[shared account]-password2
<username2>
[shared account]-password3
<username3>
.
.
.

I then tweaked pam_userdb to add an optional
switch:

audit_out

which is only valid in conjunction with key_only.
 When audit_out is set, the assumption is that
the data that is normally in the "password" field
is now in fact the "username" and a message will
be generated to the logs indicating the username
that is associated with key_only password
entered.

On my system (SuSE 9.3) it comes with the older,
pam-0.78.8 I was able to compile/build and test
this patch without issue.

I have also downloaded PAM-0.99.6.3, and have
created a patch for that version as well.

Unfortunately I don't have all of the necessary
co-reqs (specifically lex/yywrap stuff) so while
all indications are my 0.99.6.3 patch will work
fine, I can't compile it to be certian that it
works correctly. (I can't upgrade/download the
missing dependencies right now either).

Since this is my first time posting something to
any community for consideration I wanted to post
to the list first to make sure I followed the
correct procedure.

Should I just post the definitively working patch
from the older base, and/or post the probably
working 99.6.3 patch.

Thanks in advance for your advice and
consideration.

Jeremy

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list