Date: Tue, 26 Sep 2017 06:27:15 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Why does chsh not support PAM? Message-ID: <aa452260-46cb-1aa4-7f2d-acbe5385912d@FreeBSD.org> In-Reply-To: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org> References: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE Content-Type: multipart/mixed; boundary="3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <aa452260-46cb-1aa4-7f2d-acbe5385912d@FreeBSD.org> Subject: Re: Why does chsh not support PAM? References: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org> In-Reply-To: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org> --3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 26/09/2017 01:30, Dan Mahoney (Gushi) wrote: > At the day job, our systems are Kerberized.=C2=A0 People log in with a > kerberized ssh client (which checks Kerberos internally, rather than vi= a > a PAM module), or use GSSAPI-enabled ssh. >=20 > People get root via ksu. >=20 > Everyone has a "*" as their password entry in /etc/master.passwd >=20 > All this stuff is in -BASE. >=20 > Here's my question: Why have we not PAM-ified chsh yet?=C2=A0 Such that= a > user can change their shell or GECOS information using only their > kerberos password. >=20 > How hard would this be to implement, rather than adding a hardcoded > check against the password file in programs like chsh? >=20 It is quite likely that we haven't PAM-ified chsh(1) or chpass(1) simply because no-one has volunteered to do the work yet. I suspect that the code required to do the job is not particularly challenging, but as this is obviously a security sensitive area, it should be carefully reviewed to ensure that you aren't giving away far more than you intended to. If you're interested in having a go at implementing something like this, talk to Dag-Erling (des@FreeBSD.org) who is the author of the PAM system in FreeBSD and a former Security Officer. Then please do stick some patches up on phabricator for review. Cheers, Matthew --3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l-- --fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZyeU7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATrOEP/3K5PdOW6+Omk/tNJQTJQobn l7m7EKFQNAa39KQY5hCrJiB8zxEqMxkSc/eHlhgTzlvtbBLdsYhEA0jd5lF3QR1J WS2G7ajF3V/fR3GdhR/4bSVj0IW0YDc+MwFM5ne7B1BYxYpzKbtZov/pRmj4EXCV BqOFYqQISktHJIws7FhMasRx/g075YIaR2La3YyimjVIsBFBhvmKVmNcQ0xiuHMm cw19CyATiVElJ+YHfUpgyN2FSVk0UNHtromZAmfLP9WinXxShouuxHKfm7QjNEnz qKOY8KeSA1AnB1NYHdQT2mi1Eexlv7uxPpbW89Y+u9xHckRqmzK8WnngudcepLDU HuJ/UwPx3FUpO1qIpm6JIKIAHJ0oB8YA33br9Khd2MUkrop9Vw07zazR7tTJg23g kahP/zzCjGWLh04Pxk8685q3EJqEcddsTpdkCnOUD+kQfSDfGAyUNlePyMS0XZTc 8FZS0BXKPpVxkZy/Yq64oXBbs32st2zYlQK2VufrdXU+OauzA7vyLHAEUWV+/Rt2 kJMtnyi91cb/ZyBSE2/pyAiIxKVjoWYJMKKMBFO0LQ6NsSnnJ6aDuw5AqOxBQY6O ATYAt2waljPJUJBxTsoz1HYsjzn+0qO6m0Y1IAGPqXUQ20AGqLAiQ6fBzlSAu21K bjZX79Zb7v1CV2Ydxxxp =Xpo7 -----END PGP SIGNATURE----- --fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aa452260-46cb-1aa4-7f2d-acbe5385912d>