Re: dtlogin

From: Charles Clancy (security@xauth.net)
Date: 12/31/01


Date: Mon, 31 Dec 2001 16:33:55 -0600 (CST)
From: Charles Clancy <security@xauth.net>
To: Kapetanakis Giannis <bilias@edu.physics.uoc.gr>


> To make it clear what i want to do:
> Allow normal+nis users login via ssh (telnet/ftp whatever)
> Disallow nis users on dtlogin (allow local users)

Attached is a simple PAM module (perhaps PA module would be less
redundant), to what you want. It only lets people in /etc/passwd log in.
Compile, install, and add the following to /etc/pam.conf:

        dtlogin auth required /usr/lib/security/pam_local.so

I'm sure people could suggest lots of improvements, but it works.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy

----- pam_local.c -----

/* ** pam_local <> only lets users from /etc/passwd log in ** author: t. charles clancy <> tclancy@uiuc.edu ** to compile: ** gcc -c pam_local.c -o pam_local.o ** ld -G pam_local.o -o pam_local.so -lpam ** to install: ** cp pam_local.so /lib/security/pam_local.so ** to use, add the following to /etc/pam.conf: ** [service] auth required /usr/lib/security/pam_local.so */

#define CONST const #define PAM_SM_AUTHENTICATE

#include <stdio.h> #include <string.h> #include <security/pam_appl.h> #include <security/pam_modules.h>

extern int pam_sm_authenticate(pam_handle_t *pamh, \ int flags, int argc, CONST char **argv) {

char *user, line[200]; FILE *h;

pam_get_user(pamh, &user, NULL); h=fopen("/etc/passwd","r+");

while (!feof(h)) { fgets(line,200,h); if (strncmp(user,line,strlen(user))==0) \ return PAM_SUCCESS; }

return PAM_PERM_DENIED; }

extern int pam_sm_setcred(pam_handle_t *pamh, \ int flags, int argc, CONST char **argv) { return PAM_SUCCESS; }