PAM conditional authentication (advanced control syntax)

Ben Woods woodsb02 at gmail.com
Sat Jul 22 09:23:09 UTC 2017


Hi des,

First of all, thank you for creating and maintaining OpenPAM!

I have been digging into PAM and kerberos over the last few days, and have
realised I want to have a different control flow krb5 authentication fails
due to an inability to contact the KDC (e.g. network or KDC outage), or if
it fails due to the KDC positively confirming the username/password
combination is incorrect/invalid.

In Linux PAM this is possible using the advanced control syntax, however
this doesn't appear to exist in OpenPAM. Is there any plans to implement
it, or something similar?


The rest of this email is only to provide context of why I want this
functionality.

The ideal PAM flow in my example use case (using a new local cache PAM
module such as https://github.com/google/libpam-policycache):

1. Try kerberos authentication.
    - If krb5 fails with incorrect username/password, then break the chain
and return a failure.
    - If krb5 fails with KDC unreachable, then skip the next 1 module in
the chain (jump to using the cache) with the result a failure unless a
later module succeeds.
    - If krb5 succeeds, then keep going in the chain with the result a
success unless a later module fails

2. Update the local cache with the username/password successfully used in
step 1, and then break the chain returning success.

3. Try authentication against the local cache, and pass or fail based on
the result (ending the chain).

With Linux's advanced control syntax, I believe this would look something
like the following:

auth [service_err=1 success=ok new_authtok_reqd=ok default=die] pam_krb5.so
try_first_pass
auth [default=done] pam_policycache.so action=update use_first_pass
auth [success=ok new_authtok_reqd=ok default=bad] pam_policycache.so
action=check use_first_pass


Thanks in advance,
Ben

--
From: Benjamin Woods
woodsb02 at gmail.com


More information about the freebsd-questions mailing list