Thoughts on PAM

Eric A. Ayer mwalker at ee.pdx.edu
Fri Jun 16 00:04:32 PDT 2000


Hello all.

I have been reading the documentation for PAM again (3rd time or so), and I
think that I am beginning to understand it.  There was some talk a while ago
about including it in LFS, and I've kind of been waiting for someone else to
figure it out and implement it, but that someone else is just gonna have to be
me.

I think it would be a good addition to the project.  Basically, I have a
machine on the 'net, and I gotta pay attention to security.  PAM is really
complex, and so it is hard to understand, but it's also very configurable.
Each application can be configured seperately (each app that needs to authen-
ticate a user), and the the steps to determine whether to grant authentication
can do a lot of things.  For example, ftp access may be granted to anonymous
right away, skipping the rest of the chain, or it may continue, asking for a
password, checking against forbidden users, checking where the login is from,
etc.

There is a new, and mostly undocumented, way to "program" the chain of auth
steps to take any of multiple paths.  If one steps fails, it could skip the
next three, and continue from there.  In this way, auth becomes a program of
sorts.

In order to figure this out, I'm currently downloading redhell 6.2, which
should have lots of PAM configuration examples, as well as support for my SCSI
card (makes it possible to write lilo scripts to include the SCSI disk, as
well as the IDE).  However, if anyone knows anything about PAM, I would
greatly appreciate help in understanding it myself.  Like I say, the documen-
tation is sparse and really hard to follow.

					-Erik

--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
News Reader access: news.pcrdallas.com
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list