[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM Authentication Patch
From: |
Mark D. Baushke |
Subject: |
Re: PAM Authentication Patch |
Date: |
Sun, 20 Jun 2004 10:05:32 -0700 |
Pankaj K Garg <address@hidden> writes:
> I'm attaching a patch for enabling PAM
> authentication support.
>
> To keep the patch file small, I've not included
> the diffs to the files 'configure' and
> 'gnats/configure'. Use autoconf to generate
> these two files. If you need the generated
> files, let me know and I'll create another
> patch.
>
> PAM support can now be enabled by using
> '--enable-pam' switch to configure.
>
> With PAM support enabled, you can put an entry
> in the gantsd.user_access file as:
>
> <user>:$p$:<access-level>
>
> and the authentication for the user will be done
> against the configured PAM modules.
>
> The name of the PAM service is taken from the
> DEFAULT_GANTS_SERVICE define, so by default it
> should be 'support'. Hence, you can configure
> PAM by creating the file /etc/pam.d/support on
> RH Linux.
>
> I've tried to make appropriate changes to the
> documentation. Let me know if any other document
> requires update.
>
> I've done some preliminary testing on my RH 9.0
> Linux. Please let me know if there's any problem
> with it.
>
> Pankaj
The biggest problem I have with PAM support for
gnatsd is that you will now be sending a
credential across the network in the clear which
is presumably able to be used as a credential
outside of gnats. This could lead to a simple
password replay attack to gain access to systems
by unauthorized individuals or their agents.
I strongly urge you to first include and enable
SSL (or TLS) support in gantsd before you allow
PAM to be used to authorize connections.
-- Mark
> Chad C. Walstrom wrote:
> > Pankaj K Garg wrote:
> >
> >>Is anyone signed up for adding PAM
> >>authentication support yet? If not, I can sign
> >>up for it.
> > No, no one has signed up for this yet. I
> > placed your name in the
> > TODO
> > list and updated it in CVS. I don't plan on
> > making ChangeLog entries for these files
> > (.todo and TODO), though I will note the
> > changes made in the cvs log entry. Welcome
> > aboard! I look forward to getting your
> > patches!
>
> --
> Pankaj K Garg address@hidden
> 1684 Nightingale Avenue 408-373-4027
> Suite 201 408-733-2737(fax)
> Sunnyvale, CA 94087
>
> http://www.zeesource.net http://home.earthlink.net/~gargp
- CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Chad C. Walstrom, 2004/06/10
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Chad C. Walstrom, 2004/06/10
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Mel Hatzis, 2004/06/11
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Andrew Gray, 2004/06/12
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Yngve Svendsen, 2004/06/10
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Pankaj K Garg, 2004/06/14
- Re: PAM Authentication Patch, Chad Walstrom, 2004/06/21