Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace: » pam_eaccess

Introduction

pam_eaccess is a PAM module which add a generic way to do authorization. Indeed, for each service (for which you want add authorization) you can define the list of users (or all) who are allowed to connect to this service.

Features

  • file backend
  • per service definition
  • LDAP backend

Roadmap

  • SQL backend
  • Per user IP filter

Installation

From SVN repository

# svn co http://svn.asyd.net/svn/pam_eaccess/releases/0.1 pam_eaccess
# cd pam_eaccess
# autoconf
# ./configure
# make
# sudo make install

Then, check if you have /lib/security/pam_eaccess.so

From tarball

# wget http://asyd.net/upstream/pam_eaccess-0.1.tar.gz
# tar xvfz pam_eaccess-0.1.tar.gz
# cd pam_eaccess
# ./configure
# make
# sudo make install

Then, check if you have /lib/security/pam_eaccess.so

Usage

pam.d/<service>

Well, it's actually very simple, you just need to add the following line to pam config : 

auth       required     pam_eaccess.so

Note: the keyword debug is supported.

/etc/pam-access.conf

Note: this filename is actually hardcoded, you can't use another destination 

pamtest: asyd, bruno
login: [ALL]

This file has the following form :

  • one service per line, the service name MUST be followed by :
  • users lists coma separated

The keyword [ALL] which can be used for service and/or users act as a wildcard.

Testing

Requirements

There is a very simple way to test the pam_eaccess module, you need :

  • pam_pwdfile
  • Perl module Authen::PAM
  • pam_eaccess

pam.d/<service> file

Create a pam.d resource file for a test service, like pameaccesstest, which contains :

/etc/pam.d/pameaccess 

auth       required     pam_eaccess.so debug
auth       required     pam_pwdfile.so pwdfile /etc/others.passwd

passwd file

Create the file /etc/others.passwd which contains something like :

/etc/others.passwd 

asyd:password
bruno:password

Checking doc which come with your pwdfile upstream to know the format of password you must use (probably crypt/MD5)

Testing

Play with /etc/pam-access.conf, and use the pam-test.pl which comes with pam_eaccess 

# echo "pamaccess: asyd" > /etc/pam.access
# ./pam-test.pl pamaccess asyd mysecret 
[pam_myaccess.c:pam_sm_authenticate(52)] module called for service: pamaccess, user: asyd
[pam_myaccess.c:pam_sm_authenticate(59)] no backend defined, use file
[backends/file.c:check_access_file(70)] service pamaccess match pamaccess
[backends/file.c:check_access_file(90)] user asyd match asyd
Authentication succeeded

Discussion

asyd, %2006/%03/%06 %00:%Mar:

Just a little test