On 27 Jan 2010, at 00:34, walt wrote:
... After thinking awhile I realized that pam can be used to combine muliple forms of authentication to reduce the well documented risk of single-factor authentication (like our traditional password system). ... Any sysadmins out there that can confirm my reasoning?
I use pam_winbind at a site to enable users to logon to the Dovecot IMAP server using their Windows domain username & password.
Once the underlying mechanism is setup it requires very little work to enable this - for ftp authentication (restricted to localhost only, but this allows Squirrelmail users to add a vacation message) I needed to touch, I am sure, nothing but the /etc/pam.d/ftp file. Dovecote requires only one or two extra lines in its config. With one additional line in /etc/pam.d/imaps a homedir is created for the user the first they log into the IMAP server (pam_mkhomedir.so).
This list may not consider this such a cool use of PAM as using long encryption keys to authenticate themselves, but I have found PAM amazing when it all comes together so quickly. PAM seems quite powerful & flexible, although I too seem to recall having a frustrating experience when I encountered it, without understanding it, years ago.
Stroller.