Hi guys,

has anyone gone through adding PAM
to Slack? How much hassle was it?

Googling on groups brought up several
hits, but none too explicit on what needed
doing, or what amount of work was involved.

Cheers,
Tink

Heres some slack 9 packages for it:

http://slackpacks.tchelinux.com.br/pam/Latest-9.0/

They also have 8.1 if you need it.


I haven't tried it,so I cant tell you if it works. But all the packages ive gotten from this guy have worked well.

Ta mate :)

Grabbed an 8.1 version, installed smoothly,
now I need to compile a few porgrams that
work with PAM against it to see whether it's
all go :}

Will keep you informed!

Cheers,
Tink

What programs needed it?

I have never had to install PAM, maybe im missing out on something.

No programs (that I use, anyway)
necessarily need it, however, it's
a "nice feature" to be able to
authenticate against a PostgreSQL
database or LDAP if you're in the
corporate world ... ;)

The reason why I am after it is that
I want to extend iptables to be an
authentication based gateway rather
than just a "dumb packet filter" ... that
is, I want to make sure that a certain
user can/can't do certain things rather
than assuming the person is always on
the same IP ;)

If I'm successful with that I want to extend
iptables to verify that the program trying
to access a port/address is cosher, similar
to what Norton or Tiny (Kerio) do in WinDOHs.

Cheers,
Tink

P.S.: If someone knows a GPLed program that
already does these things I'll gladly save
myself the trouble ;}

If I'm successful with that I want to extend
iptables to verify that the program trying
to access a port/address is cosher, similar
to what Norton or Tiny (Kerio) do in WinDOHs.

Not exactly a reply to your thread, since you're on a different track, but I'd like to draw your attention to a short explanation of what Grsecurity can do for you wrt to restricting users, for instance denying setting up client or server sockets and other ramblings about the search for the "ZA for Linux" grail I've made in /sec earlier on.

Thanks for commenting on my post,
and the two very interesting/highly
informative links. I'll certainly give
grsecurity a try (hoping that it'll be
fine with the other custom kernel
patches, like ACPI ;})

I was thinking about a iptables pluggable
module that uses /proc to establish the PID
of the process making a connect, check the
application doing it against a database of
whatever kind (loading known & trusted apps
the first time the target is jumped to from a
config-file [Psql-database, XML, ...]), verify
the user running it, ... and prompt ruth while
denying unknown programs/people at first.
With the userland interface of iptables it
would be a breeze to kick out DoS by
handing them on to tcpwrapper :}

The hardest bit would be to make a client
for this approach that runs on win-boxen
on the network (so I can check their authenticity,
too, the Linux machines are less of a concern).

Cheers,
Tink

I was reading about SELinux earlier. You might want to check it out.
http://www.coker.com.au/selinux/
http://www.crypt.gen.nz/selinux/faq.html