asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

Trace: » pam_eaccess

This is an old revision of the document!

Introduction

pam_eaccess is a PAM module which add a generic way to do authorization. Indeed, for each service (for which you want add authorization) you can define the list of users (or all) who are allowed to connect to this service.

Features

file backend
per service definition

Roadmap

LDAP backend
SQL backend
Per user IP filter

Installation

From SVN repository

# svn co http://svn.asyd.net/svn/pam_eaccess/tags/20051107 pam_eaccess
# cd pam_eaccess
# autoconf
# ./configure
# make
# sudo make install

Then, check if you have /lib/security/pam_eaccess.so

From tarball

# wget http://asyd.net/upstream/pam_eaccess-20051107.tar.gz
# tar xvfz pam_eaccess-20051107.tar.gz
# cd pam_eaccess
# ./configure
# make
# sudo make install

Then, check if you have /lib/security/pam_eaccess.so

Usage

pam.d/<service>

Well, it's actually very simple, you just need to add the following line to pam config :

auth       required     pam_eaccess.so

Note: the keyword debug is supported.

/etc/pam-access.conf

Note: this filename is actually hardcoded, you can't use another destination

pamtest: asyd, bruno
login: [ALL]

This file has the following form :

one service per line, the service name MUST be followed by :
users lists coma separated

The keyword [ALL] which can be used for service and/or users act as a wildcard.

Testing

There is a very simple way to test the pam_eaccess module, you need :

pam_pwdfile
Perl module Authen::PAM
pam_eaccess