Lesley Kimmel <lesley.j.kimmel at gmail.com> writes:> So I probably shouldn't have said "arbitrary" script. What I really > want to do is to present a terms of service notice (/etc/issue). But I > also want to get the user to actually confirm (by typing 'y') that > they accept. If they try to exit or type anything other than 'y' they > will be denied access.It is relatively trivial to write a PAM module to do that. DES -- Dag-Erling Sm?rgrav - des at des.no
On Fri, Mar 4, 2016 at 4:02 AM, Dag-Erling Sm?rgrav <des at des.no> wrote:> Lesley Kimmel <lesley.j.kimmel at gmail.com> writes: >> So I probably shouldn't have said "arbitrary" script. What I really >> want to do is to present a terms of service notice (/etc/issue). But I >> also want to get the user to actually confirm (by typing 'y') that >> they accept. If they try to exit or type anything other than 'y' they >> will be denied access. > > It is relatively trivial to write a PAM module to do that. > > DES > -- > Dag-Erling Sm?rgrav - des at des.noWhich will have the relevant configuration overwritten and disabled the next time you run "authconfig" on Red Hat based sysems. I'm not sure if this occurs with other systems, but tuning PAM is like tuning SELinux: it's a lot of extra work with little return-on-investment, and in this case for a change that will irritate *every single user* and break a number of API's. I can't recommend this approach.
Nico Kadel-Garcia <nkadel at gmail.com> writes:> Dag-Erling Sm?rgrav <des at des.no> writes: > > It is relatively trivial to write a PAM module to do that. > Which will have the relevant configuration overwritten and disabled > the next time you run "authconfig" on Red Hat based sysems. I'm not > sure if this occurs with other systems, but tuning PAM is like tuning > SELinux: it's a lot of extra work with little return-on-investment, > and in this case for a change that will irritate *every single user* > and break a number of API's. I can't recommend this approach.It won't break any APIs, and have you considered that OP might not have a choice? That this may be a legal requirement? DES -- Dag-Erling Sm?rgrav - des at des.no