From owner-freebsd-questions@freebsd.org  Tue Sep 26 05:27:33 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7597CE2F813
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 26 Sep 2017 05:27:33 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [81.2.117.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 0538F7702D
 for <freebsd-questions@freebsd.org>; Tue, 26 Sep 2017 05:27:32 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from liminal.local (unknown
 [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id AD9369BAA
 for <freebsd-questions@freebsd.org>; Tue, 26 Sep 2017 05:27:29 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
Subject: Re: Why does chsh not support PAM?
To: freebsd-questions@freebsd.org
References: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <aa452260-46cb-1aa4-7f2d-acbe5385912d@FreeBSD.org>
Date: Tue, 26 Sep 2017 06:27:15 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
 Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE"
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2017 05:27:33 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE
Content-Type: multipart/mixed; boundary="3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <aa452260-46cb-1aa4-7f2d-acbe5385912d@FreeBSD.org>
Subject: Re: Why does chsh not support PAM?
References: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>
In-Reply-To: <alpine.BSF.2.20.1709251727100.58574@prime.gushi.org>

--3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 26/09/2017 01:30, Dan Mahoney (Gushi) wrote:
> At the day job, our systems are Kerberized.=C2=A0 People log in with a
> kerberized ssh client (which checks Kerberos internally, rather than vi=
a
> a PAM module), or use GSSAPI-enabled ssh.
>=20
> People get root via ksu.
>=20
> Everyone has a "*" as their password entry in /etc/master.passwd
>=20
> All this stuff is in -BASE.
>=20
> Here's my question: Why have we not PAM-ified chsh yet?=C2=A0 Such that=
 a
> user can change their shell or GECOS information using only their
> kerberos password.
>=20
> How hard would this be to implement, rather than adding a hardcoded
> check against the password file in programs like chsh?
>=20

It is quite likely that we haven't PAM-ified chsh(1) or chpass(1) simply
because no-one has volunteered to do the work yet.

I suspect that the code required to do the job is not particularly
challenging, but as this is obviously a security sensitive area, it
should be carefully reviewed to ensure that you aren't giving away far
more than you intended to.

If you're interested in having a go at implementing something like this,
talk to Dag-Erling (des@FreeBSD.org) who is the author of the PAM system
in FreeBSD and a former Security Officer.  Then please do stick some
patches up on phabricator for review.

	Cheers,

	Matthew


--3UheRrcsXvx3ldEjiLDcb90mnakfGBg8l--

--fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZyeU7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATrOEP/3K5PdOW6+Omk/tNJQTJQobn
l7m7EKFQNAa39KQY5hCrJiB8zxEqMxkSc/eHlhgTzlvtbBLdsYhEA0jd5lF3QR1J
WS2G7ajF3V/fR3GdhR/4bSVj0IW0YDc+MwFM5ne7B1BYxYpzKbtZov/pRmj4EXCV
BqOFYqQISktHJIws7FhMasRx/g075YIaR2La3YyimjVIsBFBhvmKVmNcQ0xiuHMm
cw19CyATiVElJ+YHfUpgyN2FSVk0UNHtromZAmfLP9WinXxShouuxHKfm7QjNEnz
qKOY8KeSA1AnB1NYHdQT2mi1Eexlv7uxPpbW89Y+u9xHckRqmzK8WnngudcepLDU
HuJ/UwPx3FUpO1qIpm6JIKIAHJ0oB8YA33br9Khd2MUkrop9Vw07zazR7tTJg23g
kahP/zzCjGWLh04Pxk8685q3EJqEcddsTpdkCnOUD+kQfSDfGAyUNlePyMS0XZTc
8FZS0BXKPpVxkZy/Yq64oXBbs32st2zYlQK2VufrdXU+OauzA7vyLHAEUWV+/Rt2
kJMtnyi91cb/ZyBSE2/pyAiIxKVjoWYJMKKMBFO0LQ6NsSnnJ6aDuw5AqOxBQY6O
ATYAt2waljPJUJBxTsoz1HYsjzn+0qO6m0Y1IAGPqXUQ20AGqLAiQ6fBzlSAu21K
bjZX79Zb7v1CV2Ydxxxp
=Xpo7
-----END PGP SIGNATURE-----

--fRikBOwAkQH0hj8uA8JlmxWh3Se3ltQWE--