pam_admin 0.1b review
Downloadpam_admin is a PAM module that allows using login suffixes for users to become root with their own password. In a first stage, che
|
|
pam_admin is a PAM module that allows using login suffixes for users to become root with their own password.
In a first stage, checks the user name against being of form < user >+< suffix >, where < suffix > is supplied as an argument. In case the check succeeds, this +< suffix > part is stripped, and the control is passed to the following module. In this stage, the module acts similarily to the pam_realm module on which it is based (see http://only.mawhrin.net/~mss/thingies/pam-realm/).
In a second stage (if required a second time in PAM stack), after "real" authentication has occured through a dedicated module (e.g: pam_unix), gives user root access if he used the configured suffix and is present in or is a member of a group listed in the file "/etc/security/pam_admin.conf".
Note that this module only responds to PAM "auth" queries.
Due to the fact that OpenSSH verifies the user identity on behalf of PAM, this module wont work with ssh connections (the user is simply not authorized).
INSTALLATION:
Uncompress the sources with:
tar xvfz pam-admin-VERSION-tgz
Place yourself in the source directory and type:
make
Then as root:
make install
You could uninstall the module as root with the command:
make uninstall
OPTIONS:
debug -- print debugging information
suffix= -- specify the to check against
allowbare -- also allows the user name to be of form just without
any +, this parameter has no effect when "becomeroot" is used
nostrip -- in certain cases, it may be of use to just check if the user name is of proper form
becomeroot -- if "suffix" was detected in a previous call to the module, let the user become root if he (or one of his groups) is listed in the /etc/security/pam_admin.conf file
Note: using a different suffix in the two module queries will result in the second stage to always fail when stage 1 succeeds using first suffix, in future versions, the second stage should use the suffix configured for the first stage.
pam_admin 0.1b keywords