#30: Support for skipping to labels instead of numbers of rules. --------------------------+------------------------------ Reporter: antarus | Owner: pam-developers@… Type: enhancement | Status: new Priority: minor | Component: library Version: | Keywords: Blocked By: | Blocking: --------------------------+------------------------------ Currently the advanced control syntax allows things like: auth [success=1] pam_module.so However, some sites (such as mine) have quite a complicated authentication structure, there are numerous authmechs, some are optional, and it is altogether a bit annoying to choose the correct number of rules to skip. Currently we try to keep the number of skip rules the same by injecting pam_permit.so lines with [default=ignore]. However we view this as fragile. I think what we would like to see is a label system. An example config for our mechs: ### Begin SSO Stack auth [success=ok new_authtok_reqd=ok default=3] pam_sso.so <% if @enabled_pam_krb5 %> auth [default=ignore] pam_krb5.so try_first_pass <% else %> # This null rule allows us to keep a deterministic skip value. auth [default=ignore] pam_permit.so <% end %> # Auth succeeded, don't try any more stacks. auth [default=ignore] pam_group.so auth [default=done] pam_permit.so ### End SSO Stack ### Begin KRB5 Stack auth [success=ok new_authtok_reqd=ok default=1] pam_krb5.so try_first_pass # Auth succeeded, don't try any more stacks. auth [default=ignore] pam_group.so auth [default=done] pam_permit.so ### End KRB5 Stack ### Begin Unix Stack auth [success=ok new_authtok_reqd=ok default=die] pam_unix.so try_first_pass auth [default=ignore] pam_group.so auth [default=done] pam_permit.so ### End Unix Stack A config with labels might be: ### Begin SSO Stack auth [success=ok new_authtok_reqd=ok default=@sso_end] pam_sso.so <% if @enabled_pam_krb5 %> # We need pam_krb5 even if CorpSSO worked because we need to get a kerberos TGT (not possible using pam-session alone.) auth [default=ignore] pam_krb5.so try_first_pass <% else %> # This null rule allows us to keep a deterministic skip value. auth [default=ignore] pam_empty.so <% end %> # Auth succeeded, don't try any more stacks. auth [default=ignore] pam_group.so auth [default=done] pam_permit.so label @sso_end ### End CorpSSO Stack ### Begin KRB5 Stack auth [success=ok new_authtok_reqd=ok default=@krb5_end] pam_krb5.so try_first_pass # Auth succeeded, don't try any more stacks. auth [default=ignore] pam_group.so auth [default=done] pam_permit.so label @krb5_end ### End KRB5 Stack ### Begin Unix Stack auth [success=ok new_authtok_reqd=ok default=die] pam_unix.so try_first_pass auth [default=ignore] pam_group.so auth [default=done] pam_permit.so ### End Unix Stack The label rules allow us to jump to the 'end of a ruleset' in an obvious way. It also means if we add more rules in a ruleset, we don't need to keep the skip numbers in sync with the number of rules; although we do need to keep rule ordered (label rules are last, in this use case.) If we define a new rule type (a label rule) I believe we can implement this briefly in libpam/pam_dispatch.c by handling jump actions as strings as well as integers (strings prefix with @ to indicate labels.) We can then iterate over the current stack looking for a label rule with a matching string. A failed match is similar to a failed skip rule as it is implemented today. -A -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/30> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project