Why does chsh not support PAM?
Matthew Seaman
matthew at FreeBSD.org
Tue Sep 26 05:27:33 UTC 2017
On 26/09/2017 01:30, Dan Mahoney (Gushi) wrote:
> At the day job, our systems are Kerberized. People log in with a
> kerberized ssh client (which checks Kerberos internally, rather than via
> a PAM module), or use GSSAPI-enabled ssh.
>
> People get root via ksu.
>
> Everyone has a "*" as their password entry in /etc/master.passwd
>
> All this stuff is in -BASE.
>
> Here's my question: Why have we not PAM-ified chsh yet? Such that a
> user can change their shell or GECOS information using only their
> kerberos password.
>
> How hard would this be to implement, rather than adding a hardcoded
> check against the password file in programs like chsh?
>
It is quite likely that we haven't PAM-ified chsh(1) or chpass(1) simply
because no-one has volunteered to do the work yet.
I suspect that the code required to do the job is not particularly
challenging, but as this is obviously a security sensitive area, it
should be carefully reviewed to ensure that you aren't giving away far
more than you intended to.
If you're interested in having a go at implementing something like this,
talk to Dag-Erling (des at FreeBSD.org) who is the author of the PAM system
in FreeBSD and a former Security Officer. Then please do stick some
patches up on phabricator for review.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170926/691f6be1/attachment.sig>
More information about the freebsd-questions
mailing list