Hi All, I am trying to use few modules such as pam_radius - does remote authentication pam_abl - to lock users/ IP addresses My Problem is , Do i have any standard way to skip one of the PAM module with out changing the service conf file. Suppose i dont want to enable locking of users, then one solution i can think of is to share a common database across application and pam modules. The application sets the flag which indicates, if pam_able is included or not. Then pam_abl module will look into this database and then return simply PAM_SUCCESS always or process the user lockouts. Please advise/comment Best Regards, Ivan.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Do i have any standard way to skip one of the PAM module > with out changing the service conf file.Why do you not want to change the per-service conf files? Those files _are_ the database. There are a bunch of strategies that you could use to, e.g., maintain your alterations as a diff to the base-system config so to make upgrades easier, but a) to answer your question, no, there's nothing standard for that, and b) that is an especially risky approach - you could completely break your security, letting anyone in, or locking legitimate users out, etc. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFI0PwqswXMWWtptckRAqLsAJ9taCFEPfVGwY6Rrt3qtLuHVvmNDwCfatyl S++ho4Gf4Zl/3E6Vjkks26o=gGZG -----END PGP SIGNATURE-----
"Ivan Grover" <ivangrvr299@gmail.com> writes:> Suppose i dont want to enable locking of users, then one solution i > can think of is to share a common database across application and pam > modules. The application sets the flag which indicates, if pam_able > is included or not. Then pam_abl module will look into this database > and then return simply PAM_SUCCESS always or process the user > lockouts.Put pam_able in a separate policy that you include in the others. Whenever you want to disable it, just comment out the contents of that policy. DES -- Dag-Erling Sm?rgrav - des@des.no
Thanks a lot. Please corrrect if my understanding below is what you have suggested. create a separate service conf file such as lockout-users in /etc/pam.d, then in my service conf file, i write like this auth required pam_stack.so service=lockout-users After that whenever i want to disable the lockout, just edit the /etc/pam.d/lockout-users file and comment as below: #auth required pam_able.so Best Regards, Ivan On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm?rgrav <des@des.no> wrote:> "Ivan Grover" <ivangrvr299@gmail.com> writes: > > Suppose i dont want to enable locking of users, then one solution i > > can think of is to share a common database across application and pam > > modules. The application sets the flag which indicates, if pam_able > > is included or not. Then pam_abl module will look into this database > > and then return simply PAM_SUCCESS always or process the user > > lockouts. > > Put pam_able in a separate policy that you include in the others. > Whenever you want to disable it, just comment out the contents of that > policy. > > DES > -- > Dag-Erling Sm?rgrav - des@des.no >
I think there is something like auth include lockout-users I feel this would be the right way to do this. Thanks ALL for your suggestions. On Tue, Sep 23, 2008 at 1:14 PM, Ivan Grover <ivangrvr299@gmail.com> wrote:> Thanks a lot. Please corrrect if my understanding below is what you have > suggested. > > > create a separate service conf file such as lockout-users in /etc/pam.d, > then in my service conf file, i write like this > auth required pam_stack.so service=lockout-users > > After that whenever i want to disable the lockout, just edit the > /etc/pam.d/lockout-users file > and comment as below: > > #auth required pam_able.so > > > Best Regards, > Ivan > > > On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm?rgrav <des@des.no> wrote: > >> "Ivan Grover" <ivangrvr299@gmail.com> writes: >> > Suppose i dont want to enable locking of users, then one solution i >> > can think of is to share a common database across application and pam >> > modules. The application sets the flag which indicates, if pam_able >> > is included or not. Then pam_abl module will look into this database >> > and then return simply PAM_SUCCESS always or process the user >> > lockouts. >> >> Put pam_able in a separate policy that you include in the others. >> Whenever you want to disable it, just comment out the contents of that >> policy. >> >> DES >> -- >> Dag-Erling Sm?rgrav - des@des.no >> > >