Re: PAM Authentication Patch

help-gnats

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM Authentication Patch

From:	Mark D. Baushke
Subject:	Re: PAM Authentication Patch
Date:	Sun, 20 Jun 2004 10:05:32 -0700

Pankaj K Garg <address@hidden> writes:

> I'm attaching a patch for enabling PAM
> authentication support.
> 
> To keep the patch file small, I've not included
> the diffs to the files 'configure' and
> 'gnats/configure'. Use autoconf to generate
> these two files. If you need the generated
> files, let me know and I'll create another
> patch.
> 
> PAM support can now be enabled by using
> '--enable-pam' switch to configure.
> 
> With PAM support enabled, you can put an entry
> in the gantsd.user_access file as:
> 
>    <user>:$p$:<access-level>
> 
> and the authentication for the user will be done
> against the configured PAM modules.
> 
> The name of the PAM service is taken from the
> DEFAULT_GANTS_SERVICE define, so by default it
> should be 'support'. Hence, you can configure
> PAM by creating the file /etc/pam.d/support on
> RH Linux.
> 
> I've tried to make appropriate changes to the
> documentation. Let me know if any other document
> requires update.
> 
> I've done some preliminary testing on my RH 9.0
> Linux. Please let me know if there's any problem
> with it.
> 
> Pankaj

The biggest problem I have with PAM support for
gnatsd is that you will now be sending a
credential across the network in the clear which
is presumably able to be used as a credential
outside of gnats. This could lead to a simple
password replay attack to gain access to systems
by unauthorized individuals or their agents.

I strongly urge you to first include and enable
SSL (or TLS) support in gantsd before you allow
PAM to be used to authorize connections.

        -- Mark

> Chad C. Walstrom wrote:
> > Pankaj K Garg wrote:
> >
> >>Is anyone signed up for adding PAM
> >>authentication support yet? If not, I can sign
> >>up for it.

> > No, no one has signed up for this yet. I
> > placed your name in the
> > TODO
> > list and updated it in CVS. I don't plan on
> > making ChangeLog entries for these files
> > (.todo and TODO), though I will note the
> > changes made in the cvs log entry. Welcome
> > aboard! I look forward to getting your
> > patches!
> 
> -- 
> Pankaj K Garg                         address@hidden
> 1684 Nightingale Avenue               408-373-4027
> Suite 201                             408-733-2737(fax)
> Sunnyvale, CA 94087
> 
> http://www.zeesource.net              http://home.earthlink.net/~gargp

[Prev in Thread]

Current Thread

[Next in Thread]

CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Chad C. Walstrom, 2004/06/10
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Chad C. Walstrom, 2004/06/10
  - Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Mel Hatzis, 2004/06/11
  - Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Andrew Gray, 2004/06/12
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Yngve Svendsen, 2004/06/10
- Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Pankaj K Garg, 2004/06/14
  - Re: CVS, Documentation, TODO Lists, New Maintainer, and Stuff, Chad C. Walstrom, 2004/06/14
    - PAM Authentication Patch, Pankaj K Garg, 2004/06/20
    - Re: PAM Authentication Patch, Mark D. Baushke <=
    - Re: PAM Authentication Patch, Chad Walstrom, 2004/06/20
    - Re: PAM Authentication Patch, Chad Walstrom, 2004/06/20
    - Re: PAM Authentication Patch, Mark D. Baushke, 2004/06/21
    - Re: PAM Authentication Patch, Chad Walstrom, 2004/06/21

Prev by Date: PAM Authentication Patch
Next by Date: Re: PAM Authentication Patch
Previous by thread: PAM Authentication Patch
Next by thread: Re: PAM Authentication Patch
Index(es):
- Date
- Thread