Date: Tue, 10 Oct 2000 11:05:01 +0200 From: "Richard Jones" <orinoki@yahoo.com> To: "FreeBSD-Security" <freebsd-security@freebsd.org> Subject: PAM help needed Message-ID: <092701c03299$2e617d60$2600a8c0@ori>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0924_01C032A9.EF97F8F0 Content-Type: text/plain; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable Hi I already sent this mail a week ago, but no one came to my help. Doesn't anyone know this things? - If that is the case then please tell = me. Here is the mail again in the hope the FreeBSD's PAM experts among you = will lend a hand. thanks. I'm a newbie to this list so if this question has been asked please = refer me to it. In the last couple of days I've been checking the PAM state in the = FreeBSD 4.1 release. Let's see if I understand exactly how PAM works: According to what was configured to it, PAM authenticates user trying to = enter the machine.=20 In order to support the PAM control on user's authentication to the = machine, there are 2 groups of applications. group 1: Those that are responsible for authenticating users (such as: = login, sshd, su, and others), are supposed to have a section (probably = ifdefed) that uses PAM to authenticate the user instead of the standard = way it uses. For instance: login can use something other then the usual = unix password to authenticate users. group 2: Those that are responsible for the actual authentication (such = as: simple unix, radius, tacplus, etc.). This application don't require = the libpam module support. The libpam itself looks very good, with a lot = of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.).=20 Please correct me if I'm wrong. After walking through the FreeBSD sources I saw that: 1. none of the first group applications (except: login) has the support = for PAM authentication (ifdefed). 2. sshd support for PAM: I saw that there was a discussion in this = mailing list about this subject. there was a suggestion to change the = makefile to use libcrypt. does it mean the ssh-pam interaction works = after this change? My questions are: a. Is any of my assumptions/conclusions wrong? b. Is there any work done on the subject to fix it? c. How stable is PAM on FreeBSD? d. Any known problems that you know from your experience? e. Any helpful suggestions? f. I'm especially interested in PAM for using for group 1 (login and = SSH) and for group 2 (radius, tacplus, unix, ssh). Does anyone have any = experience with using them through PAM? sorry for this long mail (I'll keep track of the mailing list from now = on so this is a one timer). thanks in advance for all your help RJ. ------=_NextPart_000_0924_01C032A9.EF97F8F0 Content-Type: text/html; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-8-i"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3D"Bookman Old Style" size=3D2> <DIV><FONT face=3D"Bookman Old Style" size=3D2> <DIV><FONT face=3D"Bookman Old Style" size=3D2>Hi</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV>I already sent this mail a week ago, but no one came to my = help.</DIV> <DIV>Doesn't anyone know this things? - If that is the case = then=20 please tell me.</DIV> <DIV>Here is the mail again in the hope the FreeBSD's PAM = experts=20 among you will lend a hand.</DIV> <DIV>thanks.</DIV> <DIV> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>I'm a newbie to this list = so if this=20 question has been asked please refer me to it.</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>In the last couple of = days I've been=20 checking the PAM state in the FreeBSD 4.1 release.</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>Let's see if I understand = exactly=20 how PAM works:</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>According to what was = configured to=20 it, PAM authenticates user trying to enter the machine. </FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>In order to support the = PAM control=20 on user's authentication to the machine, there are 2 groups of=20 applications.</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>group 1: Those that are = responsible=20 for authenticating users (such as: login, sshd, su, and others), are = supposed to=20 have a section (probably ifdefed) that uses PAM to authenticate the user = instead=20 of the standard way it uses. <FONT face=3D"Bookman Old Style" = size=3D2>For instance:=20 login can use something other then the usual unix password to = authenticate=20 users.</FONT></FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>group 2: Those that are = responsible=20 for the actual authentication (such as: simple unix, radius, tacplus,=20 etc.). This application don't require the libpam module=20 support. The libpam itself looks very good, with a lot of useful = modules=20 (unix, radius, tacplus, skey, kerberos, ssh, etc.). </FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>Please correct me if I'm=20 wrong.</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>After walking through the = FreeBSD=20 sources I saw that:</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>1. none of the first = group=20 applications (except: login) has the support for PAM authentication=20 (ifdefed).</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>2. sshd support for PAM: = I saw that=20 there was a discussion in this mailing list about this subject. there = was a=20 suggestion to change the makefile to use libcrypt. does it mean the = ssh-pam=20 interaction works after this change?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>My questions = are:</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>a. Is any of my=20 assumptions/conclusions wrong?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>b. Is there any work done = on the=20 subject to fix it?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>c. How stable is PAM on=20 FreeBSD?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>d. Any known problems = that you know=20 from your experience?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>e. Any helpful=20 suggestions?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>f. I'm especially = interested in PAM=20 for using for group 1 (login and SSH) and for group 2 (radius, tacplus, = unix,=20 ssh). Does anyone have any experience with using them through = PAM?</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>sorry for this long mail = (I'll keep=20 track of the mailing list from now on so this is a one = timer).</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2>thanks in advance for all = your=20 help</FONT></DIV> <DIV><FONT face=3D"Bookman Old Style" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Bookman Old Style"=20 size=3D2>RJ.</FONT></FONT></FONT></DIV></DIV></DIV></BODY></HTML> ------=_NextPart_000_0924_01C032A9.EF97F8F0-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?092701c03299$2e617d60$2600a8c0>