On Fri, Oct 3, 2008 at 4:16 AM, Darren J Moffat <Darren.Moffat at sun.com> wrote: > I considered that, but hadn't discussed it with Bart. At one point during > the development of our proposal we had the ability to specify a profile to > capture the case of multiple authorisations eg: > > pam_authorized.so.1 profile="MyCompany J2EE Logins" > > We dropped that yesterday just before I sent out the proposal because we > thought it might be hard to understand what it mean't. For example does it > mean any authorization listed in that profile or all of them ? In your > example it would mean any authorization.
I like one aspect of this a fair amount. By adding the following to pam.conf: ... pam_authorized.so.1 profile="Login to %f" I can then manage access control at the directory service level without per-host configuration. Of course, there is also pam_list that could accomplish something similar. Various lines for the various PAM service names could be used for things like "Remote login to %f", "Console login to %f", and "Legacy remote protocols login to %f". On the down side, it does put a bit of a treasure trove of "how do I attack this site?" information into the directory service. But I guess that RBAC is already well down that path. -- Mike Gerdts http://mgerdts.blogspot.com/
