PAM_RHOST and reverse hostname lookups
Andrew Bartlett
abartlet at samba.org
Wed Jun 29 22:39:34 MDT 2011
On Wed, 2011-06-29 at 11:05 +0200, Andreas Schneider wrote:
> Hi Jeremy,
>
> we had some discussions about my s3-auth patchset. We don't want to introduce
> a new dependency in the auth system and get rid of some old ones.
>
> Currently we're doing reverse hostname lookups in s3-auth to set PAM_RHOST. As
> reverse lookups are disabled by default and PAM_RHOST is only really used by
> two modules (pam_rhosts.so and pam_abl.so (auto blacklisting) and else just
> for auditing I would like to suggest to set PAM_RHOST always to the ip
> address.
To give some more background to this: The PAM stack is only invoked in
Samba (excluding the plaintext password case) for 'account', 'password'
and 'session' modules. So I doubt any sensible case will be using
pam_rhosts, and pam_abl won't have the data to operate anyway, even if
it hooks at these layers.
Finally, while a noble goal at the time, the idea of synchronising with
and interacting with PAM as the authoritative source of data is neat,
but we should have instead pushed harder the reverse. We should have
pressed the standard solution to be that of using PAM so everyone else
could talk to our DB (pam_smbpass) rather than valiantly trying to keep
our DB in sync, given that we have to hold challenge-response compatible
passwords.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list