PAM exec patch to allow PAM_AUTHTOK to be exported.
Dan Lukes
dan at obluda.cz
Mon May 21 01:43:31 UTC 2007
Zane C.B. napsal/wrote, On 05/21/07 02:03:
>> 3. want's to be PAM aware, but it's programmer is too lazy to write
>> it the clean way (as regular pam module) - we need the patch
>>
>> The patch shall be rejected because the only purpose of it
>> is to support lazy programmers creating hacks instead of solutions.
>
> Actually it does not support lazy programming, but makes life of a
> makes life of a administrator easier.
The contrib/smbfs/mount_smbfs/mount_smbfs.c is very short and simple.
Writing PAM module with same functionality require almost the same
amount of time as patching it. In advance, you need catch not only
pam_sm_session_open but pam_sm_session_close (i assume you plan to
umount resource also). Unfortunately (unless I miss something) pam_exec
has no way to pass about 'direction' to called program. You can't use
simple heuristic "when not mounted mount it and vice versa" also because
the same user can have more than one simultaneous active session.
The logic you need to implement seems to require much more coding than
simple patch on either pam_exec nor mount_smbfs ...
pam_exec in chain more hurts than helps. IMHO, of course.
But further discussion about it seems not to be security related, so we
should not continue here.
Dan
--
Dan Lukes SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz
More information about the freebsd-security
mailing list