Flow control with pam configuration

Usually, files in /etc/pam.d/ are simple, linear descriptions of how a user should be authenticated, e.g. „Try to authenticate him against ldap, and then against the local data base“. But sometimes, you want something more advanced, for example „If the user is called guest, please authenticate him with pam_dbus, otherwise use regular pam_unix.“ This is possible, and here I’ll note down how to do that.

There are actually two problems to solve: How to detect the username, and then how to do the flow control.

For the first problem, I recently discovered the pam_succeed_if module, that allows for relatively advanced logic for checking uids, usernames, hostnames and group membership. For our case, the line would read

auth ? pam_succeed_if.so quiet user = guest

Now what next? If we just wanted to allow unrestricted access to guest, we could put „sufficient“ for the questionmark. But we need something like if..then..else. Unfortunately (and I hope this will be fixed eventually), the only flow control available is „skip the next n lines“. So we can skip to pam_unix when this module fails (i.e. the user was someone else but guest), and if we did not skip, we can run the guest-specific module and then skip over pam_unix. So here is the complete snippet:

auth [default=2 success=ignore] pam_succeed_if.so quiet user = guest
auth [success=ok new_authtok_reqd=done ignore=ignore default=die] pam_dbus.so
auth [default=1] pam_permit.so
auth required pam_unix.so

You can read more about this advanced configuration in the PAM Administration guide. And here is the corresponding configuration for gdm, where guest can always login:

auth [default=2 success=ignore] pam_succeed_if.so quiet user = guest
auth required pam_permit.so
auth [default=1] pam_permit.so
auth required pam_unix.so

So I have a guest account with a locked password and I can allow ssh logins with a mouse click and use it directly with gdm. I probably should put the gdm configuration also in xscreensaver to not lock me out.


Have something to say? You can post a comment by sending an e-Mail to me at <mail@joachim-breitner.de>, and I will include it here.