Godugu, Rajeshwar (NSN - IN/Bangalore)
2008-Sep-15 11:15 UTC
Does OpenSSH support setting PAM_AUSER
Hi All,
Godugu, Rajeshwar (NSN - IN/Bangalore)
2008-Sep-15 12:01 UTC
Does OpenSSH support setting PAM_AUSER
Hi All, I have Openssh "OpenSSH_5.1p1, OpenSSL 0.9.7d 17 Mar 2004" installed on machines which has the solaris10 as OS. I have a requirement to implement RBAC (Role Based Access Control) on my system. As part of RBAC, I have to provide remote role2role login feature (For more details: http://bugs.opensolaris.org/view_bug.do;jsessionid=bac85b2b6bd564e843af4 907bd1?bug_id=6213280 http://opensolaris.org/jive/thread.jspa?threadID=64615&tstart=45 ) By default roles doesn't support remote login to roles, reason behind this is PAM (pluggable authentication .module) module pam_roles will not allow remote user's to assume roles. For more details: http://docs.sun.com/app/docs/doc/819-2252/pam-roles-5?a=view pam_roles man page says that this feature is possible by setting PAM_AUSER, but only sshd-hostbased service can set this PAM_AUSER. According to pam_roles(5) man page, after making following changes to /etc/pam.conf, remote role assumption should work. "sshd-hostbased account requisite pam_roles.so.1 allow_remote" 1) My doubt is, In pam_roles man page it is not clearly mentioned, will it work with Open-ssh or SSH? 2) So can you please tell me, is this sshd-hostbased service will set PAM_AUSER or not? If the mail is not clear, please do reply without any hesitation. Thanks in advance, Regards, Rajas
Godugu, Rajeshwar (NSN - IN/Bangalore) wrote: [...]> "sshd-hostbased account requisite pam_roles.so.1 allow_remote" > > 1) My doubt is, In pam_roles man page it is not clearly mentioned, will > it work with Open-ssh or SSH? > > 2) So can you please tell me, is this sshd-hostbased service will set > PAM_AUSER or not?PAM_AUSER is not part of the PAM spec (either XSSO[1] or the original Sun RFC[2]) and OpenSSH does not currently use it. The link you posted suggests that Sun have modified the sshd that ships with Solaris to use it for some auth methods, but you would need to ask Sun about that. [1] http://www.opengroup.org/onlinepubs/008329799/ [2] http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.