About pam_access

[Dan Yefimov]

On 06.05.2011 13:00, Александр Берсенев wrote:
> About unpredictable results.
> Here is a my /etc/pam.d/rsh config, for simpleness
> /etc/security/access.conf is empty(allow everyone) and
> /etc/security/pam_env.conf is also empty(not set any env):
>
> #%PAM-1.0
>
> auth       sufficient            pam_access.so
> auth       optional     pam_env.so
>
> account    include      password-auth
> session    optional     pam_keyinit.so    force revoke
> session    required     pam_loginuid.so
> session    include      password-auth
>
> The rsh authorizes me successfully:
> [u1333 at um32 ~]$ rsh umu4 id
> uid=1003(u1333) gid=100(users)
> группы=100(users),1013(OSO),5001(um32),5005(um64),5006(umt),5007(cluster_sudo)
>
> But this configuration gives me an access denied error:
>
> #%PAM-1.0
>
> auth       sufficient            pam_access.so
> #auth       optional     pam_env.so
>
> account    include      password-auth
> session    optional     pam_keyinit.so    force revoke
> session    required     pam_loginuid.so
> session    include      password-auth
>
> [u1333 at um32 ~]$ rsh umu4 id
> Permission denied.
>
> If I use "auth required pam_securetty.so" instead of "auth optional
> pam_env.so" in above samples the results are same.
>
> I think it is a kind of unpredictable. In my environment I forced to
> keep almost-do-noting module pam_env.so(with empty config file) and
> "don't del this line or it will be broken" comment.
>
> Also the line "auth required pam_access.so" in pam.d will always fall.
> Changing "return (PAM_SUCCESS)" instead (PAM_IGNORE) in pam_sm_setcred
> solves a problem, but I don't know about possible drawbacks of this
> decision.
>
How about adding 'auth required pam_permit.so' at the end of 'auth' stack? It's 
not unpredictable, if the entire stack fails in the case of no module in the 
stack succeeds, since there's an implicit PAM_DENY at the end of the stack.

-- 

Sincerely Yours, Dan.