On Tue, Dec 02, 2008 at 12:47:11PM +1100, Darren Reed wrote: > Nicolas Williams wrote: > >http://sourceforge.net/projects/pam-abl > >http://linux.die.net/man/1/pam_abl > > Interesting, but I'm not sure that I like the architecture of this.
Back when we were doing the SunSSH resync with OpenSSH for S10 we considered handling auditing via PAM in a similar way. We didn't follow that approach, but I forget why. I don't remember if there was some corner case that we couldn't address that way or if the issue was the difficulty of ensuring that PAM is properly configured (which certainly is an issue). Auto-blacklisting naughty clients is a simpler problem than auditing, and you may find it easier to implement it via PAM than through Solaris auditing facilities, but you will come to the same issue of ensuring that PAM is properly configured. OTOH, enabling audit, rebooting, and ensuring proper audit configuration isn't exactly much simpler. Nico --
