pam_eaccess is a PAM module which add a generic way to do authorization. Indeed, for each service (for which you want add authorization) you can define the list of users (or all) who are allowed to connect to this service.
# svn co http://svn.asyd.net/svn/pam_eaccess/releases/0.1 pam_eaccess # cd pam_eaccess # autoconf # ./configure # make # sudo make install
Then, check if you have /lib/security/pam_eaccess.so
# wget http://asyd.net/upstream/pam_eaccess-0.1.tar.gz # tar xvfz pam_eaccess-0.1.tar.gz # cd pam_eaccess # ./configure # make # sudo make install
Then, check if you have /lib/security/pam_eaccess.so
Well, it's actually very simple, you just need to add the following line to pam config :
auth required pam_eaccess.so
Note: the keyword debug is supported.
Note: this filename is actually hardcoded, you can't use another destination
pamtest: asyd, bruno login: [ALL]
This file has the following form :
The keyword [ALL] which can be used for service and/or users act as a wildcard.
There is a very simple way to test the pam_eaccess module, you need :
Create a pam.d resource file for a test service, like pameaccesstest, which contains :
/etc/pam.d/pameaccess
auth required pam_eaccess.so debug auth required pam_pwdfile.so pwdfile /etc/others.passwd
Create the file /etc/others.passwd which contains something like :
/etc/others.passwd
asyd:password bruno:password
Checking doc which come with your pwdfile upstream to know the format of password you must use (probably crypt/MD5)
Play with /etc/pam-access.conf, and use the pam-test.pl which comes with pam_eaccess
# echo "pamaccess: asyd" > /etc/pam.access # ./pam-test.pl pamaccess asyd mysecret [pam_myaccess.c:pam_sm_authenticate(52)] module called for service: pamaccess, user: asyd [pam_myaccess.c:pam_sm_authenticate(59)] no backend defined, use file [backends/file.c:check_access_file(70)] service pamaccess match pamaccess [backends/file.c:check_access_file(90)] user asyd match asyd Authentication succeeded