Why does chsh not support PAM?

Matthew Seaman matthew at FreeBSD.org
Tue Sep 26 05:27:33 UTC 2017

On 26/09/2017 01:30, Dan Mahoney (Gushi) wrote:
> At the day job, our systems are Kerberized.  People log in with a
> kerberized ssh client (which checks Kerberos internally, rather than via
> a PAM module), or use GSSAPI-enabled ssh.
> People get root via ksu.
> Everyone has a "*" as their password entry in /etc/master.passwd
> All this stuff is in -BASE.
> Here's my question: Why have we not PAM-ified chsh yet?  Such that a
> user can change their shell or GECOS information using only their
> kerberos password.
> How hard would this be to implement, rather than adding a hardcoded
> check against the password file in programs like chsh?

It is quite likely that we haven't PAM-ified chsh(1) or chpass(1) simply
because no-one has volunteered to do the work yet.

I suspect that the code required to do the job is not particularly
challenging, but as this is obviously a security sensitive area, it
should be carefully reviewed to ensure that you aren't giving away far
more than you intended to.

If you're interested in having a go at implementing something like this,
talk to Dag-Erling (des at FreeBSD.org) who is the author of the PAM system
in FreeBSD and a former Security Officer.  Then please do stick some
patches up on phabricator for review.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170926/691f6be1/attachment.sig>

More information about the freebsd-questions mailing list