From owner-freebsd-questions@freebsd.org  Tue Sep 26 00:30:28 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E102E2756F
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 26 Sep 2017 00:30:28 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 0D94A6EB37
 for <freebsd-questions@freebsd.org>; Tue, 26 Sep 2017 00:30:28 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 09892E2756E; Tue, 26 Sep 2017 00:30:28 +0000 (UTC)
Delivered-To: questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09145E2756D
 for <questions@mailman.ysv.freebsd.org>; Tue, 26 Sep 2017 00:30:28 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (prime.gushi.org [IPv6:2001:4f8:3:3d::42])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "prime.gushi.org", Issuer "RapidSSL SHA256 CA - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E08076EB36
 for <questions@freebsd.org>; Tue, 26 Sep 2017 00:30:27 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (danm@localhost [127.0.0.1])
 by prime.gushi.org (8.15.2/8.15.2) with ESMTPS id v8Q0UBxH059043
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <questions@freebsd.org>; Mon, 25 Sep 2017 17:30:13 -0700 (PDT)
 (envelope-from danm@prime.gushi.org)
DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org v8Q0UBxH059043
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
 s=prime2014; t=1506385668;
 bh=TLJGod7t4bSVFnvyvP5nYdULHvA3tDWokzwxeHO8Xyo=;
 h=Date:From:To:Subject;
 z=Date:=20Mon,=2025=20Sep=202017=2017:30:11=20-0700=20(PDT)|From:=2
 0"Dan=20Mahoney=20(Gushi)"=20<danm@prime.gushi.org>|To:=20question
 s@freebsd.org|Subject:=20Why=20does=20chsh=20not=20support=20PAM?;
 b=BrSW4ajryegkXmsuYRQEUZunFjHegrT9tVPYQZk58oxKyj7fdciy7Y3jHWD0wyuWJ
 u9+yAttL1CKXHmEnvktkKT0xLj1Jcy8olsbGarb+jiE2CbOSgRZzFEUdaPVXcTD6vF
 1nlwX5pFNeU2ltEwhIZJewk9BB1Pvx/v78bSmO36Pc0O4vnV0U4C9egSAYdr4CnTXO
 tqJ66dyv3e28rm08VYOHhomuqA26HClgFqKRoTTuw7qOfsdaP5OupId0x+eAgM37fQ
 wOZW6Qpi2LLUjMoKyv1caoNXkEix/xfTssv/NtwDEIlwmfmYz4/PeJAW2v+5vvv9bo
 nq3KgZm9FGjHQ==
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 prime.gushi.org v8Q0UBxH059043
DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws;
 q=dns; 
 h=received:date:from:to:subject:message-id:user-agent:
 x-openpgp-key-id:mime-version:content-type;
 b=dj0v3LlZYM88PrIxnDZ2r7fpEYvI03xd/yZ7zrBy3IIlFZYHHKLb0lajHU52P2J9B
 m492EQvvVE9qktRyqe0oQ==
Received: (from danm@localhost)
 by prime.gushi.org (8.15.2/8.15.2/Submit) id v8Q0UBfq059042;
 Mon, 25 Sep 2017 17:30:11 -0700 (PDT) (envelope-from danm)
Date: Mon, 25 Sep 2017 17:30:11 -0700 (PDT)
From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
To: questions@freebsd.org
Subject: Why does chsh not support PAM?
Message-ID: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
X-OpenPGP-Key-ID: 0x624BB249
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (prime.gushi.org [127.0.0.1]); Tue, 26 Sep 2017 00:27:49 +0000 (UTC)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2017 00:30:28 -0000

Hey all,

At the day job, our systems are Kerberized.  People log in with a 
kerberized ssh client (which checks Kerberos internally, rather than via a 
PAM module), or use GSSAPI-enabled ssh.

People get root via ksu.

Everyone has a "*" as their password entry in /etc/master.passwd

All this stuff is in -BASE.

Here's my question: Why have we not PAM-ified chsh yet?  Such that a user 
can change their shell or GECOS information using only their kerberos 
password.

How hard would this be to implement, rather than adding a hardcoded check 
against the password file in programs like chsh?

-Dan

-- 


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------