5

PAM allows to use sufficent and required for some logic, like

auth sufficient pam_a.so
auth required pam_b.so
auth required pam_c.so

which would mean "either a is true, or b must be true and then c must be true".

Is it possible to do more complex operations? like "(a or b) and (c or d)" or "(a and b) or (c and d)"? Possibly with even more layers of parenthesis.

allo
  • 1,620
  • 2
  • 22
  • 39
  • You're getting into a scary amount of complexity for something you must trust in as faithfully as authentication and authorization. If you need something that sufficiently complex, you may need to write your own authentication module or a script to pam_exec. The short answer is no, I do not believe it is easy to express situations like that. – Andrew Domaszek Mar 07 '15 at 23:48

1 Answers1

5

Yes, there is logic for being able to skip over arbitrary numbers of lines. There are no "grouping brackets" or anything of the sort, but if you combine the logic that you just mentioned with the ability to skip over lines, you can selectively exclude behavior.

Here's an example from my personal server:

# Skip Google authenticator check if they're coming from a local IP.
auth    [success=1 default=ignore] pam_access.so accessfile=/etc/security/access/nogoogle.conf noaudit
auth    required        pam_google_authenticator.so nullok

I don't really need two-factor authentication if the source IP is coming from my local network, so I'm using the outcome of the pam_access.so check to skip exactly one line on success. If the check fails, nothing happens and the next line is checked.

You can find more about this in the pam.conf manpage. Search for "value1". The section starts off like so:

  For the more complicated syntax valid control values have the following form:

            [value1=action1 value2=action2 ...]

  Where valueN corresponds to the return code from the function invoked in the
  module for which the line is defined.
  ...

Keep in mind that this logic is much more complex, and if people edit your PAM configurations without noting the presence of line skipping they can cause all kinds of chaos by adding or removing lines in the wrong places.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • looks good. I try to realize some two-factor auth depending on other conditions, too. – allo Mar 08 '15 at 14:29
  • Andrew, is this answer complete enough to qualify for canonicity? E.g. links to FMs, discussion of `requisite` vs `required` etc.? – Deer Hunter Feb 13 '16 at 20:03
  • @Deer This was meant to serve as the answer for "how do I implement complex and/or behavior [using the more complex syntax]", not as a holistic guide to PAM actions. (which is implied by your mention of `requisite`) Since this has failed the acceptance test I will remove the link regardless. – Andrew B Feb 13 '16 at 20:14