#30: Support for skipping to labels instead of numbers of rules.
--------------------------+------------------------------
Reporter: antarus | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: minor | Component: library
Version: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
Currently the advanced control syntax allows things like:
auth [success=1] pam_module.so
However, some sites (such as mine) have quite a complicated authentication
structure, there are numerous authmechs, some are optional, and it is
altogether a bit annoying to choose the correct number of rules to skip.
Currently we try to keep the number of skip rules the same by injecting
pam_permit.so lines with [default=ignore].
However we view this as fragile. I think what we would like to see is a
label system.
An example config for our mechs:
### Begin SSO Stack
auth [success=ok new_authtok_reqd=ok default=3] pam_sso.so
<% if @enabled_pam_krb5 %>
auth [default=ignore] pam_krb5.so try_first_pass
<% else %>
# This null rule allows us to keep a deterministic skip value.
auth [default=ignore] pam_permit.so
<% end %>
# Auth succeeded, don't try any more stacks.
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
### End SSO Stack
### Begin KRB5 Stack
auth [success=ok new_authtok_reqd=ok default=1] pam_krb5.so try_first_pass
# Auth succeeded, don't try any more stacks.
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
### End KRB5 Stack
### Begin Unix Stack
auth [success=ok new_authtok_reqd=ok default=die] pam_unix.so
try_first_pass
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
### End Unix Stack
A config with labels might be:
### Begin SSO Stack
auth [success=ok new_authtok_reqd=ok default=@sso_end] pam_sso.so
<% if @enabled_pam_krb5 %>
# We need pam_krb5 even if CorpSSO worked because we need to get a
kerberos TGT (not possible using pam-session alone.)
auth [default=ignore] pam_krb5.so try_first_pass
<% else %>
# This null rule allows us to keep a deterministic skip value.
auth [default=ignore] pam_empty.so
<% end %>
# Auth succeeded, don't try any more stacks.
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
label @sso_end
### End CorpSSO Stack
### Begin KRB5 Stack
auth [success=ok new_authtok_reqd=ok default=@krb5_end] pam_krb5.so
try_first_pass
# Auth succeeded, don't try any more stacks.
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
label @krb5_end
### End KRB5 Stack
### Begin Unix Stack
auth [success=ok new_authtok_reqd=ok default=die] pam_unix.so
try_first_pass
auth [default=ignore] pam_group.so
auth [default=done] pam_permit.so
### End Unix Stack
The label rules allow us to jump to the 'end of a ruleset' in an obvious
way. It also means if we add more rules in a ruleset, we don't need to
keep the skip numbers in sync with the number of rules; although we do
need to keep rule ordered (label rules are last, in this use case.)
If we define a new rule type (a label rule) I believe we can implement
this briefly in libpam/pam_dispatch.c by handling jump actions as strings
as well as integers (strings prefix with @ to indicate labels.)
We can then iterate over the current stack looking for a label rule with a
matching string. A failed match is similar to a failed skip rule as it is
implemented today.
-A
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/30>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project