Bug 103449

Summary: Consider including pam_dotfile
Product: [Retired] Red Hat Linux Reporter: Jef Spaleta <jspaleta>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: mitr, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://0pointer.de/lennart/projects/pam_dotfile/
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-03 08:40:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jef Spaleta 2003-08-30 19:05:10 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030701 Galeon/1.3.7

Description of problem:
From http://0pointer.de/lennart/projects/pam_dotfile/:
"pam_dotfile is a PAM module which allows users to have more than one password
for a single account, each for a different service. This is desirable because
many users have objections to using the same password for (as an example) an
IMAP4 mailbox and SSH access. The IMAP4 password should be distinct from the SSH
password because the user wants to save the former in the configuration of his
mail agent, but not the latter. The same applies to POP3 mailboxes, FTP and
comparable services."

Well thats what the projcet website sez....I have started using pam_dotfile at
home with my dovecot imap server, so that the small number of users who have
both imap and shell access can use seperate passwords. Pam_dotfile might not be
the best solution to the problem its solving...but i think its interesting
enough for someone to look over for inclusion.

If there ends up being technical reasons as to why this is not a good fit in the
distro, I'd be interested in hearing comments about specific issues.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
N/A    

Actual Results:  N/A

Expected Results:  N/A

Additional info:

For my services at home I have editted system-auth to include a line to check
pam_dotfile after checking the unix password:

auth required   /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_dotfile.so use_first_pass no_warn
auth required   /lib/security/$ISA/pam_deny.so

this means the unix password is checked first then the pam_dotfile is checked
for the password. Doing it this way should make the addition of pam_dotfile
support transparent for all services using system-auth until a user adds a
pam_dotfile password for a specific service.
Or at least thats what i hope its doing.
Comment 1 Tomas Mraz 2005-08-03 08:40:33 UTC 
I suggest to create pam_dotfile as a new Fedora Extras package.

We cannot add the pam_dotfile to the standard system-auth configuration anyway,
because it can be used to for example bypass the password strength checking in
pam_cracklib.
Comment 2 Jef Spaleta 2005-08-03 12:46:31 UTC 
fair enough... i actually forget about this ticket.
-jef