Darren J Moffat schrieb: > We were thinking that it would make sense to add a pam module that would > permit controlling access to the system based on authorizations; it > seems to be the type of thing that fits in nicely in the authorization > model. > > There's already a basic authorization (solaris.login.remote) that has > been used to control logins over the network on Trusted Solaris, so the > basic configuration of such a PAM module could check for that > authorization. > > We were thinking that adding solaris.login.local (a non-remote login > that's not on the console) and solaris.login.console (when it is the > console) would make sense. > > All three authorizations would be added to the Basic Solaris User > profile, so that a default configuration with pam_authorized.so.1 in the > stack wouldn't change anything for normal users. > > Additional authorizations could be required by specifying them as an > option to the module, so that it becomes possible to require a host- or > domain-specific authorization to gain access to a system. >
One thing I am missing here is a way to use this module with explicitly specified authorizations, but without requiring one of the solaris.login.* authorizations (or with an additional one). PAM is being used to authenticate and authorize access to services that are not really system login access. Some examples I can think of from the Sun Ray are are registering Sun Ray devices or smart card tokens for use with the system or access to the Sun Ray administration web console. In both cases it makes sense to use the usual name services and authentication mechanisms for the user accounts, and it would be great to use an authorization to manage the administrative roles, but in neither case is login or login-like access granted. (From the PAM side this is reflected in that the session module functions are not used.) BTW: Do you plan to document in more detail how the distinction console/local/remote is made by the module? What combinations of PAM_TTY, PAM_RHOST and other items must a PAM client set in order to signal one of these cases? - J?rg -- Joerg Barfurth phone: +49 40 23646662 / x66662 Software Engineer mailto:joerg.barfurth at sun.com Desktop Technology http://reserv.ireland/twiki/bin/view/Argus/ Thin Client Software http://www.sun.com/software/sunray/ Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/
