Greetings! A nice feature which I'd like to propose is extending PAM config file syntax with one more control directive for including another configuration files. The whole idea is to create few "systemwide" pam configs and include parts of them in application pam configs. For example, /etc/pam.d/system-auth: #%PAM-1.0 auth required pam_tcb.so shadow fork prefix=$2a$ count=8 nullok account required pam_tcb.so shadow fork password required pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=users retry=3 password required pam_tcb.so use_authtok shadow fork prefix=$2a$ count=8 write_to=tcb session required pam_tcb.so session required pam_limits.so /etc/pam.d/su: #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_wheel.so use_uid group=wheel auth include system-auth account include system-auth session include system-auth session optional pam_xauth.so In this example, su includes auth, account and session rules from system-auth, while password rule is not defined (i.e. other is used, which is usually pam_deny.so). Credits. -------- The idea to implement stacking inside libpam instead of separate module belongs to Solar Designer, as suggested in his message to owl-devel mailing list on Sat, Apr 20, 2002 at 06:55:36AM +0400. The idea to implement stacking as syntax extention and original syntax extention was suggested by Michael Tokarev in his message to owl-devel mailing list on Sat, Apr 20, 2002 at 03:34:15PM +0400 The OpenPAM implementation is mostly done by Dag-Erling Smorgrav. The Linux-PAM implementation is mine. Standardization. ---------------- Proposed extention is already adopted by following PAM implementations: + Linux-PAM (since version 0.78 released on 2004-11-19); + OpenPAM (since version Digitalis released on 2003-06-01); + OpenSolaris PAM. Proposed extention is already supported by following operating systems: + ALT Linux (Linux-PAM based) since 2003-05-23; + FreeBSD (OpenPAM based) since 2003-06-01; + SuSE (Linux-PAM based) since 2003-10-02; + PLD (Linux-PAM based) since 2004-11-19; + RedHat (Linux-PAM based) since 2004-11-24; + OpenSolaris since 2005-06-14; + Debian (Linux-PAM based) since 2005-09-25; At this moment, I have responses (listed in receive order) from + Dag-Erling Smorgrav (OpenPAM), on Sat, 24 May 2003 18:29:58 +0200: "I like the "include" syntax." Support of "include" syntax extension have been added in openpam-20030601, see http://sourceforge.net/project/shownotes.php?release_id=162860 + Andrew Morgan (Linux-PAM), on Wed, 28 May 2003 15:23:53 -0700: "I don't see why this shouldn't be added. I'll take a look at it." I've developed patch which adds "include" syntax extension support for Linux-PAM, see ftp://ftp.altlinux.org/pub/people/ldv/pam/pam-0.77-alt-pam_include.patch Support of "include" syntax extension have been added in Linux-PAM cvs, see http://sourceforge.net/tracker/index.php?func=detail&aid=812567&group_id=6663&atid=106663 + Solar Designer (Owl), on Fri, 30 May 2003 01:16:14 +0400: "I've now thought over your proposal for real and I like it." + Nalin Dahyabhai (RedHat), on Fri, 30 May 2003 17:50:36 -0400: "Simple, easy to understand. I like it. My main concern is that without some group working to advance the PAM standards, changes like this will make moving from implementation to implementation difficult." + Darren J. Moffat (Sun), on Mon, 9 Jun 2003 07:26:20 -0700 (PDT): "Sun agree's in principle. As yet we aren't sure if we like the syntax, but the symantic is good (much better than the pam_stack hack). So far the 3rd column has always been a file name, this changes it to be a service name. I'll see if we can get closure on this in our group soon." Support of "include" syntax extension have been added in OpenSolaris, see http://cvs.opensolaris.org/source/xref/usr/src/lib/libpam/pam_impl.h + Steve Langasek (Debian), on Tue, 23 Sep 2003 09:51:37 -0500: "While I'd like to see more standardization across distributions where PAM is concerned, it's certainly too late for us to make any more changes of this size to Debian's PAM support for the upcoming sarge release. Post-sarge, if there are opportunities to push something upstream that will be of benefit to multiple distros, I'm certainly open to the idea." + Sam Hartman (Debian), Tue, 23 Sep 2003 14:39:59 -0400: "If Linux-PAM picks up the change, we could certainly migrate to it, but not for Sarge. Or rather if you managed to get everyone to agree to a standard syntax soon, perhaps we could take the patch for sarge, but it would need to happen in a week or two and we would not migrate to using it." + Jan Rekorajski (PLD), Thu, 25 Sep 2003 13:48:40 +0200: "IMO this is much cleaner attempt than Redhat's pam_stack and I'd like to see it included in Linux-PAM." + Thorsten Kukuk (SuSE), Thu, 25 Sep 2003 21:44:06 +0200: "I like it more than the pam_stack hack from Red Hat, which breaks some PAM modules. But for the next SuSE Linux release it was too late, but it is on the TODO list for the next release next year." I'd like to hear your comments on this subject. If you know anybody else who should be contacted on this subject, please let me know. Other ideas. ------------ + There is a (widely used in RedHat-compatible linux distributions) pam_stack module (hack) by Nalin Dahyabhai for Linux-PAM which does something else (stacking configs). + There is a "@include" pam config extention used in Debian unstable. It introduces another include mechanism which behaves closer to the "include" extention rather than pam_stack, see their /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy for details, e.g. http://www.google.com/search?as_epq=Debian-PAM-MiniPolicy&as_oq=&as_eq=&as_ft=i&as_filetype=&as_qdr=m3&as_occt=any&as_dt=i -- Dmitry V. Levin