Date: Sat, 22 Jul 2017 17:23:07 +0800 From: Ben Woods <woodsb02@gmail.com> To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@des.no>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: PAM conditional authentication (advanced control syntax) Message-ID: <CAOc73CCYjCdcV5AkW7DJZLqbaSuxSAHmRC7RQW-4LRPy7GzaYQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi des, First of all, thank you for creating and maintaining OpenPAM! I have been digging into PAM and kerberos over the last few days, and have realised I want to have a different control flow krb5 authentication fails due to an inability to contact the KDC (e.g. network or KDC outage), or if it fails due to the KDC positively confirming the username/password combination is incorrect/invalid. In Linux PAM this is possible using the advanced control syntax, however this doesn't appear to exist in OpenPAM. Is there any plans to implement it, or something similar? The rest of this email is only to provide context of why I want this functionality. The ideal PAM flow in my example use case (using a new local cache PAM module such as https://github.com/google/libpam-policycache): 1. Try kerberos authentication. - If krb5 fails with incorrect username/password, then break the chain and return a failure. - If krb5 fails with KDC unreachable, then skip the next 1 module in the chain (jump to using the cache) with the result a failure unless a later module succeeds. - If krb5 succeeds, then keep going in the chain with the result a success unless a later module fails 2. Update the local cache with the username/password successfully used in step 1, and then break the chain returning success. 3. Try authentication against the local cache, and pass or fail based on the result (ending the chain). With Linux's advanced control syntax, I believe this would look something like the following: auth [service_err=1 success=ok new_authtok_reqd=ok default=die] pam_krb5.so try_first_pass auth [default=done] pam_policycache.so action=update use_first_pass auth [success=ok new_authtok_reqd=ok default=bad] pam_policycache.so action=check use_first_pass Thanks in advance, Ben -- From: Benjamin Woods woodsb02@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CCYjCdcV5AkW7DJZLqbaSuxSAHmRC7RQW-4LRPy7GzaYQ>