From owner-freebsd-questions@freebsd.org Sat Jul 22 09:23:09 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DA71D3D633 for ; Sat, 22 Jul 2017 09:23:09 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 271B073124 for ; Sat, 22 Jul 2017 09:23:09 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id v139so2210808wmv.0 for ; Sat, 22 Jul 2017 02:23:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=1MHSVIUYK2/gkxausEm+Kum9xG5Rlq3I0WD62F5LgJI=; b=UZMGWSkgZ1QMzickUdKTq70Hu5bGeop3qnxkw0/IQzBpN4eI0rdJKP6jCorRuum2FG HBc2wFPHkvL4IolQuLy3hxyZueufRmOMr+lEm7PLlq5WO1W505iABoDkmYS2Lnk2CK37 F6/fBV57oJBUl+4NKR+qZUfQuBqN9EQAyhd2Pi73+ZfBNmir6YAb/X5AW/izxxWyYFwx tMom1mKGU5/sSIMOWXN77LHWGMl+swBzsKXPeI/p6rTeQuiPzRUFIYsrpk+qW2cl5wFg RxYs6sYNPy0svGD8tz8acemnHDF4iBccSMcWTCgNwarqYvCvnc8//EpTITs/1Y44ov1w zegg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=1MHSVIUYK2/gkxausEm+Kum9xG5Rlq3I0WD62F5LgJI=; b=GAQpOp9zMtlm6fEMt+G3PdjBl+saeznAyXh8ngm7nJEAGbYsO1g7sYumgaZlOWOVg+ kPPhz9RHFiF8Yw7P8ZExrD/Pfkl42RGJ1gYVVACfEErYthp0Z9fB4V8kfq6L2K07EJQW Cve+AF/zGbasxFmnrUXcOOSXuTUjDsA9icl/NcHpvO0IGDzk8Z6tWJe6uUD9g6tDOTth JmKfkTc027wxVi8TjyUbN0isTjiNjeTSCjum/jEzpTZ3+98rlbNrAbLUvMqVYuMtIGwO 25QF65N4vlVUFqgiYoA9VS+/uCtH64vAAWJ0vhq6b3ADHKkoKO7DmNq6GyIREgXog9yj V94Q== X-Gm-Message-State: AIVw110ty9Yi2O1HQjmyhe94prVZIPPW4SAWlIvYZT+IIBzjcTCP4XZo APwFRcgysOD4So/y7+2F/+LNZVQvDTYrj+w= X-Received: by 10.80.168.34 with SMTP id j31mr188521edc.87.1500715387568; Sat, 22 Jul 2017 02:23:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.171.196 with HTTP; Sat, 22 Jul 2017 02:23:07 -0700 (PDT) From: Ben Woods Date: Sat, 22 Jul 2017 17:23:07 +0800 Message-ID: Subject: PAM conditional authentication (advanced control syntax) To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-questions@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 09:23:09 -0000 Hi des, First of all, thank you for creating and maintaining OpenPAM! I have been digging into PAM and kerberos over the last few days, and have realised I want to have a different control flow krb5 authentication fails due to an inability to contact the KDC (e.g. network or KDC outage), or if it fails due to the KDC positively confirming the username/password combination is incorrect/invalid. In Linux PAM this is possible using the advanced control syntax, however this doesn't appear to exist in OpenPAM. Is there any plans to implement it, or something similar? The rest of this email is only to provide context of why I want this functionality. The ideal PAM flow in my example use case (using a new local cache PAM module such as https://github.com/google/libpam-policycache): 1. Try kerberos authentication. - If krb5 fails with incorrect username/password, then break the chain and return a failure. - If krb5 fails with KDC unreachable, then skip the next 1 module in the chain (jump to using the cache) with the result a failure unless a later module succeeds. - If krb5 succeeds, then keep going in the chain with the result a success unless a later module fails 2. Update the local cache with the username/password successfully used in step 1, and then break the chain returning success. 3. Try authentication against the local cache, and pass or fail based on the result (ending the chain). With Linux's advanced control syntax, I believe this would look something like the following: auth [service_err=1 success=ok new_authtok_reqd=ok default=die] pam_krb5.so try_first_pass auth [default=done] pam_policycache.so action=update use_first_pass auth [success=ok new_authtok_reqd=ok default=bad] pam_policycache.so action=check use_first_pass Thanks in advance, Ben -- From: Benjamin Woods woodsb02@gmail.com