Difference between revisions of "Pam"
From Bashlinux
Line 1: | Line 1: | ||
__NOTOC__ |
__NOTOC__ |
||
⚫ | |||
− | = PAM = |
||
⚫ | |||
⚫ | |||
+ | |||
⚫ | |||
− | + | * Move binary file |
|
− | |||
− | <pre><nowiki> |
||
mv /usr/bin/firefox /usr/sbin/firefox |
mv /usr/bin/firefox /usr/sbin/firefox |
||
ln -s /usr/bin/consolehelper /usr/bin/firefox |
ln -s /usr/bin/consolehelper /usr/bin/firefox |
||
⚫ | |||
− | </nowiki></pre> |
||
− | |||
⚫ | |||
− | |||
− | <pre><nowiki> |
||
USER=<user> |
USER=<user> |
||
PROGRAM=/usr/sbin/firefox |
PROGRAM=/usr/sbin/firefox |
||
SESSION=True |
SESSION=True |
||
− | </nowiki></pre> |
||
− | + | '''User'''<br> |
|
− | + | The line user should literally write as <tt><user></tt>, it will ask a password for the current user. If you need to run the application as specific user, for example <tt>foo</tt> then change the literal string <tt><user></tt> by <tt>foo</tt>, or in some cases if need to restrict to only root, user <tt>root</tt> instead <tt><user></tt>. |
|
− | + | * Create a PAM file <tt>/etc/pam.d/firefox</tt> |
|
− | |||
− | <pre><nowiki> |
||
#%PAM-1.0 |
#%PAM-1.0 |
||
auth sufficient pam_rootok.so |
auth sufficient pam_rootok.so |
||
Line 32: | Line 23: | ||
session optional pam_xauth.so |
session optional pam_xauth.so |
||
session optional pam_timestamp.so |
session optional pam_timestamp.so |
||
⚫ | |||
− | </nowiki></pre> |
||
− | |||
⚫ | |||
− | |||
− | <pre><nowiki> |
||
[Desktop Entry] |
[Desktop Entry] |
||
Encoding=UTF-8 |
Encoding=UTF-8 |
||
Line 49: | Line 36: | ||
Comment=Launch Firerox |
Comment=Launch Firerox |
||
Icon=/usr/share/pixmaps/firefox.xpm |
Icon=/usr/share/pixmaps/firefox.xpm |
||
− | </nowiki></pre> |
||
⚫ | |||
− | |||
⚫ | |||
− | |||
− | <pre><nowiki> |
||
ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm |
ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm |
||
− | </nowiki></pre> |
||
− | |||
− | == How to setup ssh authentication and an ldap client == |
+ | === How to setup ssh authentication and an ldap client === |
On CentOS run the following command |
On CentOS run the following command |
||
− | |||
− | <pre><nowiki> |
||
authconfig --enableldap --enableldapauth --disablenis --enablecache \ |
authconfig --enableldap --enableldapauth --disablenis --enablecache \ |
||
--ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \ |
--ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \ |
||
--updateall |
--updateall |
||
− | </nowiki></pre> |
Revision as of 17:24, 9 June 2015
How to launch an application from the Desktop with password protection
Assuming the application in question is Firefox, this works using bin and sbin pair assisted by consolehelper
that will verify the PAM restrictions. Note that every file created should match the name of the binary to be protected.
- Move binary file
mv /usr/bin/firefox /usr/sbin/firefox ln -s /usr/bin/consolehelper /usr/bin/firefox
- Create a security file /etc/security/console.apps/firefox and add the following lines:
USER=<user> PROGRAM=/usr/sbin/firefox SESSION=True
User
The line user should literally write as <user>, it will ask a password for the current user. If you need to run the application as specific user, for example foo then change the literal string <user> by foo, or in some cases if need to restrict to only root, user root instead <user>.
- Create a PAM file /etc/pam.d/firefox
#%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_timestamp.so auth include system-auth account required pam_permit.so session required pam_permit.so session optional pam_xauth.so session optional pam_timestamp.so
- Create the Desktop launcher ~/Desktop/firefox.desktop
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=false Name[en_US]=Firefox Exec=/usr/bin/firefox Comment[en_US]=Launch Firefox Icon[en_US]=/usr/share/pixmaps/firefox.xpm Name=Firefox Comment=Launch Firerox Icon=/usr/share/pixmaps/firefox.xpm
The png icon under /usr/share/pixmaps is too big, so you might want to link the small one from firefox installation to the icon folder.
ln -s /usr/lib/${FIREFOX}/icons/default.xpm /usr/share/pixmaps/firefox.xpm
How to setup ssh authentication and an ldap client
On CentOS run the following command
authconfig --enableldap --enableldapauth --disablenis --enablecache \ --ldapserver=ldap.bashlinux.com --ldapbasedn=dc=bashlinux,dc=com \ --updateall