[Cryptography] Does anyone here know PAM?
Tom Mitchell
mitch at niftyegg.com
Thu Apr 6 22:05:40 EDT 2017
On Thu, Apr 6, 2017 at 12:40 PM, Jim Gettys <jg at freedesktop.org> wrote:
>
>
> On Thu, Apr 6, 2017 at 7:43 AM, Phillip Hallam-Baker <phill at hallambaker.com>
> wrote:
>>
>>
>>
>> On Tue, Apr 4, 2017 at 1:01 PM, RB <aoz.syn at gmail.com> wrote:
>>>
>>> On Tue, Apr 4, 2017 at 8:04 AM, Phillip Hallam-Baker
>>> <phill at hallambaker.com> wrote:
>>> > The architecture I am thinking of would be:
>>> >
>>> > 1) User logs in with password.
>>> >
>>> > 2) Password is passed to the unlock keys mechanism which uses it to
>>> > unlock a
>>> > master key.
>>> >
>>> > 3) Processes running under the master key account can request unlocking
>>> > of
>>> > profile data stored under it.
>>>
>>> Perhaps I'm missing some subtle part of the point, but is this not
>>> already done under the gnome-keyring project? At least from this
>>> user's perspective, gnome-keyring (and the seahorse UI) achieve the
>>> same functionality as the OS X keyring.
Also, look at SMACK
https://github.com/cschaufler/smack-next
Simplified Mandatory Access Control Kernel (Smack) has potential
for solving specific needs with less overhead than SELinux.
https://en.wikipedia.org/wiki/Smack_(software)
Smack has been criticized for being written as a new LSM module
instead of an SELinux security policy which can provide equivalent
functionality. Such SELinux policies have been proposed, but none had
been demonstrated. Smack's author replied that it would not be
practical due to SELinux's complicated configuration syntax and the
philosophical difference between Smack and SELinux designs.[11]
Targeted SELinux policy for Apache as well as the solutions bind and
sendmail have could be the model to bootstrap
things.
PAM
https://www.ibm.com/developerworks/library/l-pam/ <-- IBM pages are
better than average.
The concept of 'service' may get involved as all logins pass through
the control of PAM for login
but only one(?) needs special attention. There is login, sshd,
telnet, ftp ..... each different.
See also SELinux and Role-Based Access Control (RBAC)
"Although the default configuration of the targeted policy is to use
unconfined logins, the administrator can quite easily switch to the
Role-Based Access Control model. This model also switches to 'strict'
mode for user domains, to allow targeting each program individually.
To enable this, use semanage-login to add a login mapping for your
user."
--
T o m M i t c h e l l
More information about the cryptography
mailing list