From owner-freebsd-security Wed Oct 4 5:42:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.mail.yahoo.com (smtp1.mail.yahoo.com [128.11.69.60]) by hub.freebsd.org (Postfix) with SMTP id 192D137B66C for ; Wed, 4 Oct 2000 05:42:20 -0700 (PDT) Received: from unknown (HELO ori) (209.88.175.222) by smtp.mail.vip.suc.yahoo.com with SMTP; 4 Oct 2000 12:42:17 -0000 X-Apparently-From: Message-ID: <041601c02e09$c8e6dbd0$2600a8c0@ori> From: "Richard Jones" To: Subject: PAM in FreeBSD Date: Wed, 4 Oct 2000 15:48:29 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0413_01C02E1A.8A650EC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0413_01C02E1A.8A650EC0 Content-Type: text/plain; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable Hi I'm a newbie to this list so if this question has been asked please = refer me to it. In the last couple of days I've been checking the PAM state in the = FreeBSD 4.1 release. Let's see if I understand exactly how PAM works: According to what was configured to it, PAM authenticates user trying to = enter the machine.=20 In order to support the PAM control on user's authentication to the = machine, there are 2 groups of applications. group 1: Those that are responsible for authenticating users (such as: = login, sshd, su, and others), are supposed to have a section (probably = ifdefed) that uses PAM to authenticate the user instead of the standard = way it uses. For instance: login can use something other then the usual = unix password to authenticate users. group 2: Those that are responsible for the actual authentication (such = as: simple unix, radius, tacplus, etc.). This application don't require = the libpam module support. The libpam itself looks very good, with a lot = of useful modules (unix, radius, tacplus, skey, kerberos, ssh, etc.).=20 Please correct me if I'm wrong. After walking through the FreeBSD sources I saw that: 1. none of the first group applications (except: login) has the support = for PAM authentication (ifdefed). 2. sshd support for PAM: I saw that there was a discussion in this = mailing list about this subject. there was a suggestion to change the = makefile to use libcrypt. does it mean the ssh-pam interaction works = after this change? My questions are: a. Is any of my assumptions/conclusions wrong? b. Is there any work done on the subject to fix it? c. How stable is PAM on FreeBSD? d. Any known problems that you know from your experience? e. Any helpful suggestions? f. I'm especially interested in PAM for using for group 1 (login and = SSH) and for group 2 (radius, tacplus, unix, ssh). Does anyone have any = experience with using them through PAM? sorry for this long mail (I'll keep track of the mailing list from now = on so this is a one timer). thanks in advance for all your help RJ. ------=_NextPart_000_0413_01C02E1A.8A650EC0 Content-Type: text/html; charset="iso-8859-8-i" Content-Transfer-Encoding: quoted-printable
Hi
 
I'm a newbie to this list = so if this=20 question has been asked please refer me to it.
 
In the last couple of = days I've been=20 checking the PAM state in the FreeBSD 4.1 release.
 
Let's see if I understand = exactly=20 how PAM works:
According to what was = configured to=20 it, PAM authenticates user trying to enter the machine.
In order to support the = PAM control=20 on user's authentication to the machine, there are 2 groups of=20 applications.
group 1: Those that are = responsible=20 for authenticating users (such as: login, sshd, su, and others), are = supposed to=20 have a section (probably ifdefed) that uses PAM to authenticate the user = instead=20 of the standard way it uses. For instance:=20 login can use something other then the usual unix password to = authenticate=20 users.
 
group 2: Those that are = responsible=20 for the actual authentication (such as: simple unix, radius, tacplus,=20 etc.). This application don't require the libpam module=20 support. The libpam itself looks very good, with a lot of useful = modules=20 (unix, radius, tacplus, skey, kerberos, ssh, etc.). 
 
Please correct me if I'm=20 wrong.
 
After walking through the = FreeBSD=20 sources I saw that:
1. none of the first = group=20 applications (except: login) has the support for PAM authentication=20 (ifdefed).
2. sshd support for PAM: = I saw that=20 there was a discussion in this mailing list about this subject. there = was a=20 suggestion to change the makefile to use libcrypt. does it mean the = ssh-pam=20 interaction works after this change?
 
 
My questions = are:
a. Is any of my=20 assumptions/conclusions wrong?
b. Is there any work done = on the=20 subject to fix it?
c. How stable is PAM on=20 FreeBSD?
d. Any known problems = that you know=20 from your experience?
e. Any helpful=20 suggestions?
f. I'm especially = interested in PAM=20 for using for group 1 (login and SSH) and for group 2 (radius, tacplus, = unix,=20 ssh). Does anyone have any experience with using them through = PAM?
 
 
sorry for this long mail = (I'll keep=20 track of the mailing list from now on so this is a one = timer).
 
thanks in advance for all = your=20 help
 
RJ.
------=_NextPart_000_0413_01C02E1A.8A650EC0-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message