[562] in linux-security and linux-alert archive
PAM implementation effort....
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Jan 12 15:59:46 1996
Date: Fri, 12 Jan 1996 00:13:39 -0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: mvachhar@grimaldi.rutgers.edu, marc@redhat.com, ecarp@netcom.com
To: juphoff@tarsier.cv.nrao.edu, marekm@i17linuxb.ists.pwr.wroc.pl
To: hsdc1l@rhein-neckar.netsurf.de, alex@bach.cis.temple.edu, tytso@MIT.EDU
Cc: shadow-list@neptune.cin.net, linux-security@tarsier.cv.nrao.edu
OK, there definitely seems to be interest in implementing PAM for Linux.
Great! Everyone on the To: field have either sent me mail directly
saying that they were interested, or have sent enough mail on the
various lists that they're obviously interested.
Because I'm not on shadow-list@neptune.cin.net, and because PAM really
is only somewhat tangentially related to the shadow package ---- and
I've maintained enough mailing lists that I know that maintainers of
lists often get upset of a small subset of the people on the list
"hijack" a list for some different purpose, I've taken the liberty to
start a new mailing list:
linux-pam@mit.edu
I've seeded the list with the people on the To: list above. Other
people who are interested should send mail to me (tytso@mit.edu). This
list will be active by tomorrow morning. I suggest that for the reasons
I've listed above, we redirect discussion directly related to the PAM
implementation effort to this list.
Since I (foolishly?) volunteered to coordinate, and various other people
have said that they would write code if I would provide design specs ---
here goes. I propose the following task breakdown:
1) Administrivia: Ted
Set up mailing list (done)
Set up ftp space on tsx-11.mit.edu:/pub/linux/ALPHA/PAM (done)
Coordinate tasks (see below; in progress)
2) PAM header file: Ted
(I'll do this, so people have a common place to start from.)
Also, there isn't enough public information currently to
completely specify the PAM <-> PAM module interface. I'm going
to try to pry the information out of Sun (which they'll need to
give me, since they want me to write a PAM module for Kerberos).
<security/pam_appl.h> --- header for the application/PAM interface
<security/pam_modules.h> --- header for the PAM/PAM module interface
3) Write PAM library: (Need a volunteer)
The PAM library is reponsible for parsing /etc/pam.conf, and
then using dlopen() to dynamically call the various component
libraries. It's responsible for calling the various libraries
in the right order, as specified by the rules in /etc/pam.conf
(i.e., control flags "required", "sufficient", "optional", etc.)
4) Write the PAM unix libraries: (Need volunteer(s))
pam_unix_auth.so ---- prompts for username/password and validates
it against /etc/passwd
pam_unix_account.so --- checks to see if user's user or account has
expired. (Account management is also the place
to add login time restrictions, if desired.)
pam_unix_session.so --- empty for unix
pam_unix_passwd.so --- password changing interface
These can either be four separate libraries, or they can be one library:
pam_unix.so. Eventually it probably makes sense to make it one library.
However, for ease of divvying up the task, we can implemently separately first.
5) Write the PAM shadow libraries: (Need volunteer(s))
6) Write the PAM S/Key interface: (Need volunteer(s))
7) Write the PAM Kerberos interface: (Ted -- I told Sun I'd do this)
8) Modify applications to use the PAM application interface:
(Need volunteer(s))
- login
- ftpd
- telnetd
- rlogind
- passwd
If there are people who are interested in participating in this effort,
please contact me and tell me what you're interested in doing. I'll
coordinate to make sure we don't duplicate effort.
Again, people should take a look at OSF RFC 86.0.txt. The URL is:
http://www.pilgrim.umass.edu/pub/osf_dce/RFC/rfc86.0.txt
This actually has a fairly complete of the PAM <-> application
interface.
- Ted
