From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-gnats-bounces+listarch-gnats-devel=sources.redhat.com@gnu.org>
Received: (qmail 3698 invoked from network); 20 Jun 2004 17:06:32 -0000
Received: from unknown (HELO lists.gnu.org) (199.232.76.165)
  by sourceware.org with SMTP; 20 Jun 2004 17:06:32 -0000
Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33)
	id 1Bc5nH-00026F-S8
	for listarch-gnats-devel@sources.redhat.com; Sun, 20 Jun 2004 13:07:47 -0400
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33)
	id 1Bc5nD-000260-RZ
	for help-gnats@gnu.org; Sun, 20 Jun 2004 13:07:43 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33)
	id 1Bc5nC-00025n-6n
	for help-gnats@gnu.org; Sun, 20 Jun 2004 13:07:43 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33) id 1Bc5nC-00025k-4I
	for help-gnats@gnu.org; Sun, 20 Jun 2004 13:07:42 -0400
Received: from [207.17.137.57] (helo=colo-dns-ext1.juniper.net)
	by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168)
	(Exim 4.34) id 1Bc5lD-0005Xy-A7
	for help-gnats@gnu.org; Sun, 20 Jun 2004 13:05:39 -0400
Received: from merlot.juniper.net (merlot.juniper.net [172.17.27.10])
	by colo-dns-ext1.juniper.net (8.11.3/8.9.3) with ESMTP id i5KH5b979468; 
	Sun, 20 Jun 2004 10:05:37 -0700 (PDT) (envelope-from mdb@juniper.net)
Received: from juniper.net (garnet.juniper.net [172.17.28.17])
	by merlot.juniper.net (8.11.3/8.11.3) with ESMTP id i5KH5WJ85190;
	Sun, 20 Jun 2004 10:05:32 -0700 (PDT) (envelope-from mdb@juniper.net)
To: gargp@acm.org
In-reply-to: Mail from Pankaj K Garg <gargp@earthlink.net> 
	dated Sun, 20 Jun 2004 09:42:34 PDT
	<40D5BE7A.2080503@earthlink.net> 
References: <20040610205814.GA27286@wookimus.net>
	<40CDCBEA.9050505@earthlink.net>
	<20040614165706.GG3528@wookimus.net>
	<40D5BE7A.2080503@earthlink.net>
From: "Mark D. Baushke" <mdb@juniper.net>
X-Mailer: MH-E 7.4.3+cvs; nmh 1.0.4; GNU Emacs 21.1.1
X-Face: #8D_6URD2G%vC.hzU<dI&#Y9szHj$'mGtUq&d=rXy^L$-=G_-LmZ^5!Fszk:yXZp$k\nTF?
	8Up0!v/%1Q[(d?ES0mQW8dRCXi18gK)luJu)loHk,
	}4{Vi`yX?p?crF5o:LL{6#eiO:(E:YMxLXULB k|'a*EjN.B&L+[J!PhJ*aX0n:5/
Date: Sun, 20 Jun 2004 17:59:00 -0000
Message-ID: <93229.1087751132@juniper.net>
Cc: help-gnats@gnu.org
Subject: Re: PAM Authentication Patch 
X-BeenThere: help-gnats@gnu.org
X-Mailman-Version: 2.1.4
Precedence: list
List-Id: General discussion about GNU GNATS <help-gnats.gnu.org>
List-Archive: <http://lists.gnu.org/pipermail/help-gnats>
List-Post: <mailto:help-gnats@gnu.org>
List-Help: <mailto:help-gnats-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/help-gnats>,
	<mailto:help-gnats-request@gnu.org?subject=subscribe>
Sender: help-gnats-bounces+listarch-gnats-devel=sources.redhat.com@gnu.org
Errors-To: help-gnats-bounces+listarch-gnats-devel=sources.redhat.com@gnu.org
X-SW-Source: 2004-q2/txt/msg00174.txt.bz2

Pankaj K Garg <gargp@earthlink.net> writes:

> I'm attaching a patch for enabling PAM
> authentication support.
> 
> To keep the patch file small, I've not included
> the diffs to the files 'configure' and
> 'gnats/configure'. Use autoconf to generate
> these two files. If you need the generated
> files, let me know and I'll create another
> patch.
> 
> PAM support can now be enabled by using
> '--enable-pam' switch to configure.
> 
> With PAM support enabled, you can put an entry
> in the gantsd.user_access file as:
> 
>    <user>:$p$:<access-level>
> 
> and the authentication for the user will be done
> against the configured PAM modules.
> 
> The name of the PAM service is taken from the
> DEFAULT_GANTS_SERVICE define, so by default it
> should be 'support'. Hence, you can configure
> PAM by creating the file /etc/pam.d/support on
> RH Linux.
> 
> I've tried to make appropriate changes to the
> documentation. Let me know if any other document
> requires update.
> 
> I've done some preliminary testing on my RH 9.0
> Linux. Please let me know if there's any problem
> with it.
> 
> Pankaj

The biggest problem I have with PAM support for
gnatsd is that you will now be sending a
credential across the network in the clear which
is presumably able to be used as a credential
outside of gnats. This could lead to a simple
password replay attack to gain access to systems
by unauthorized individuals or their agents.

I strongly urge you to first include and enable
SSL (or TLS) support in gantsd before you allow
PAM to be used to authorize connections.

	-- Mark

> Chad C. Walstrom wrote:
> > Pankaj K Garg wrote:
> >
> >>Is anyone signed up for adding PAM
> >>authentication support yet? If not, I can sign
> >>up for it.

> > No, no one has signed up for this yet. I
> > placed your name in the
> > TODO
> > list and updated it in CVS. I don't plan on
> > making ChangeLog entries for these files
> > (.todo and TODO), though I will note the
> > changes made in the cvs log entry. Welcome
> > aboard! I look forward to getting your
> > patches!
> 
> -- 
> Pankaj K Garg                         garg@zeesource.net
> 1684 Nightingale Avenue               408-373-4027
> Suite 201                             408-733-2737(fax)
> Sunnyvale, CA 94087
> 
> http://www.zeesource.net              http://home.earthlink.net/~gargp


_______________________________________________
Help-gnats mailing list
Help-gnats@gnu.org
http://lists.gnu.org/mailman/listinfo/help-gnats