[Pkg-shadow-devel] Question about pam configuration settings regarding shadow tools
Michal Soltys
soltys at ziu.info
Thu May 29 21:48:48 UTC 2008
Nicolas François wrote:
> On Thu, May 29, 2008 at 10:10:03AM +0200, soltys at ziu.info wrote:
>> Hello list
>>
>> While checking the pam settings for shadow services I've noticed, that
>> while almost all tools provided - ch{age,fn,sh,passwd,gpasswd},
>> group{add,del,mod}, user{add,del,mod} and newusers - use only 'auth' and
>> 'account' services, their pam configuration files also include
>> 'password' service (in 'password include system-auth' form).
>>
>
> I think it is not needed.
>
> What I checked is that these tools do not try to change the authentication
> token (with pam_chauthtok) if the password is outdated.
>
Ok, thanks for clarification.
What I did is just quickly checked out the built tools with objdump -T
for pam imports. Looking at the code, all mentioned tools have
functionally (pam-wise) the same code.
BTW - I've moved global pamh into check_perms (it isn't used anywhere
else, besides pam_end at the very end of main, which can be easily
placed in check_perms) and tightened the code a bit. Example in attached
diff. If it's ok, I can prepare analogous diffs for the rest of the tools.
> In a future version, I might want to define the passwd set by
> newusers/chpasswd with PAM (I already have a patch for this if others are
> interested, but I don't know if it is correct to do this).
> This would permit to configure in a single place the requirements on how
> passwords must be generated on the system.
>
> BTW, I don't think configuring these tools (except chfn & chsh) with PAM
> support is really useful. I do prefer using the permissions on the
> shadow/passwd/group/gshadow files for that.
>
Well, it gives possibility for few things. E.g. if you add pam_unix.so
to 'auth' in chsh, user will be asked about his current password, before
allowed to change anything (a bit stretched example: against a joke by a
nearby sitting friend, to /bin/false). Well, pam is flexbile, so there
are prooly much more useful possibilities.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: chfn.diff
Url: http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20080529/8749e036/attachment.txt
More information about the Pkg-shadow-devel
mailing list