As far as I understood, in my case I can have only logs that are provided by auth-type modules? and also that DeleGate just ignores all pam-modules that are not auth-type?! What can I do then? I mean how can I grant access only to users of definite group? pam_require (account type) and pam_group (session type) and pam_limits, pam_access (both session type) could not help me, could they?!!
Well, I just could add, that I use Red Hat Linux 6.0 and PAM-1.0, and wait for your help. Thanks a lot for listening to my problem.
With respect, Shade
>On 12/20/04(22:18) you "Shade" <email@example.com> wrote
> | I have some problems with PAM authentication. Well, I'll try to
> | describe the problem in the whole: I've got local and external networks,
> | and a firewall between them. On the same computer with the FW there is
> | installed DeleGate. I use only 6 protocols: telnet, ftp, http, pop, smtp,
> | imap and their 'ssl-forms'. Well, earlier for proxy-users' authentication
> | I used special files, e.g. 'proxy.users', where the information about
> | logins and passwords of allowed users was kept. Then my boss told me he
> | wanted to use PAM for this purpose.
> | I did "AUTHORIZER='-pam/delegate-auth'", where 'delegate-auth' is my
> | own pamconf file. Everything works, I can see, that DeleGate works
> | with PAM. But there are two problems:
> | 1. there are no pam-logs at all. When I log-in my FW-computer locally,
> | there are lots of pam-logs in /var/log/auth/*, but when I go through
> | DeleGate, using PAM, there are no logs at all.
>What kind of logs is in your /var/log/auth/* ? If it is like "session
>opened/closed", then it is not logged by DeleGate because DeleGate
>use PAM just for the purpose of authentication (PAM category "auth"),
>and does not use other features including "session" management.
>Furthermore, DeleGate does not always refer PAM for each authentication.
>It reuses authenticated user+pass pairs which are authenticated by PAM
>(or other auth-server) in cache (in 180 seconds).
> | And 2. I need to allow only users in special group 'delegate-users'
> | (there they have home directory and shell - /dev/null, in order not
> | to let them into FW-system). I know that I can use modules 'pam_group'
> | and 'pam_require' (www.splitbrain.org). And when I use them on the
> | local FW-machine, or, for example, through ssh from the remote machine
> | (to the FW-machine), it works fine. But when I use it with DeleGate,
> | it acts like there is no 'group'-rule in the conf-file.
>There are so many versions of PAM implementations on various platform.
>If you would tell me the version of your PAM and OS, I might be able to
> D G Yutaka Sato <firstname.lastname@example.org> http://delegate.org/y.sato/
> ( - ) National Institute of Advanced Industrial Science and Technology
>_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
>Do the more with the less -- B. Fuller