Date: Tue, 10 Oct 2000 11:05:01 +0200 From: "Richard Jones" <orinoki@yahoo.com> To: "FreeBSD-Security" <freebsd-security@freebsd.org> Subject: PAM help needed Message-ID: <092701c03299$2e617d60$2600a8c0@ori>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi I already sent this mail a week ago, but no one came to my help. Doesn't anyone know this things? - If that is the case then please tell me. Here is the mail again in the hope the FreeBSD's PAM experts among you will lend a hand. thanks. I'm a newbie to this list so if this question has been asked please refer me to it. In the last couple of days I've been checking the PAM state in the FreeBSD 4.1 release. Let's see if I understand exactly how PAM works: According to what was configured to it, PAM authenticates user trying to enter the machine. In order to support the PAM control on user's authentication to the machine, there are 2 groups of applications. group 1: Those that are responsible for authenticating users (such as: login, sshd, su, and others), are supposed to have a section (probably ifdefed) that uses PAM to authenticate the user instead of the standard way it uses. For instance: login can use something other then the usual unix password to authenticate users. group 2: Those that are responsible for the actual authentication (such as: simple unix, radius, tacplus, etc.). This application don't require the libpam module support. The libpam itself looks very good, with a lot of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.). Please correct me if I'm wrong. After walking through the FreeBSD sources I saw that: 1. none of the first group applications (except: login) has the support for PAM authentication (ifdefed). 2. sshd support for PAM: I saw that there was a discussion in this mailing list about this subject. there was a suggestion to change the makefile to use libcrypt. does it mean the ssh-pam interaction works after this change? My questions are: a. Is any of my assumptions/conclusions wrong? b. Is there any work done on the subject to fix it? c. How stable is PAM on FreeBSD? d. Any known problems that you know from your experience? e. Any helpful suggestions? f. I'm especially interested in PAM for using for group 1 (login and SSH) and for group 2 (radius, tacplus, unix, ssh). Does anyone have any experience with using them through PAM? sorry for this long mail (I'll keep track of the mailing list from now on so this is a one timer). thanks in advance for all your help RJ. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-8-i"> <META content="MSHTML 5.50.4134.600" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face="Bookman Old Style" size=2> <DIV><FONT face="Bookman Old Style" size=2> <DIV><FONT face="Bookman Old Style" size=2>Hi</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV>I already sent this mail a week ago, but no one came to my help.</DIV> <DIV>Doesn't anyone know this things? - If that is the case then please tell me.</DIV> <DIV>Here is the mail again in the hope the FreeBSD's PAM experts among you will lend a hand.</DIV> <DIV>thanks.</DIV> <DIV> </DIV> <DIV><FONT face="Bookman Old Style" size=2>I'm a newbie to this list so if this question has been asked please refer me to it.</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>In the last couple of days I've been checking the PAM state in the FreeBSD 4.1 release.</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>Let's see if I understand exactly how PAM works:</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>According to what was configured to it, PAM authenticates user trying to enter the machine. </FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>In order to support the PAM control on user's authentication to the machine, there are 2 groups of applications.</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>group 1: Those that are responsible for authenticating users (such as: login, sshd, su, and others), are supposed to have a section (probably ifdefed) that uses PAM to authenticate the user instead of the standard way it uses. <FONT face="Bookman Old Style" size=2>For instance: login can use something other then the usual unix password to authenticate users.</FONT></FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>group 2: Those that are responsible for the actual authentication (such as: simple unix, radius, tacplus, etc.). This application don't require the libpam module support. The libpam itself looks very good, with a lot of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.). </FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>Please correct me if I'm wrong.</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>After walking through the FreeBSD sources I saw that:</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>1. none of the first group applications (except: login) has the support for PAM authentication (ifdefed).</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>2. sshd support for PAM: I saw that there was a discussion in this mailing list about this subject. there was a suggestion to change the makefile to use libcrypt. does it mean the ssh-pam interaction works after this change?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>My questions are:</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>a. Is any of my assumptions/conclusions wrong?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>b. Is there any work done on the subject to fix it?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>c. How stable is PAM on FreeBSD?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>d. Any known problems that you know from your experience?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>e. Any helpful suggestions?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2>f. I'm especially interested in PAM for using for group 1 (login and SSH) and for group 2 (radius, tacplus, unix, ssh). Does anyone have any experience with using them through PAM?</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>sorry for this long mail (I'll keep track of the mailing list from now on so this is a one timer).</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>thanks in advance for all your help</FONT></DIV> <DIV><FONT face="Bookman Old Style" size=2></FONT> </DIV> <DIV><FONT face="Bookman Old Style" size=2>RJ.</FONT></FONT></FONT></DIV></DIV></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?092701c03299$2e617d60$2600a8c0>