1.. _PAMDeveloperChapter: 2 3PAM 4=== 5PAM is an authentication method provided by many operating systems to establish a standardized interface for the authorization of users. 6 7The name of the service to be registered with the respective PAM module is "bareos". 8 9The following sequence diagram shows three options how a user can be authorized on a Bareos Director Daemon: 10 11* Option 1: No PAM authentication using named console 12* Option 2: Interactive PAM authentication 13* Option 3: Direct PAM authentication 14 15In this example the complete connection and authorization sequence of a Bareos Console respective Bareos Webui is shown. 16 17A detailed description on the configuration see this chapter: :ref:`PAMConfigurationChapter`. 18 19.. uml:: 20 :caption: Console/WebUI connection sequence from Bareos 18.2 21 22 skinparam SequenceMessageAlign reversedirection 23 24 actor "Console\nWebUI" as W 25 participant "director\ndaemon" as D 26 27 W <-> D: Initiate TCP connection 28 W <-> D: TLS Cert/PSK Handshake 29 note right of D: <b>default console</b>: identity *UserAgent*,\npassword/key from director resource\n\n<b>named console</b>: identity <console-name>,\npassword/key from console resource 30 31 W -> D: "Hello <*UserAgent*|console-name> calling" 32 33 W <- D: "auth cram-md5[c] <password-md5> ssl=<0|1|2|4>" 34 W -> D: "<password-md5>" 35 W <-- D: On Failure [Close TLS connection] 36 W <- D: On Success: "1000 OK auth" 37 38 W -> D: "auth cram-md5[c] <password-md5> ssl=<0|1|2|4>" 39 W <- D: "<password-md5>" 40 W --> D: On Failure [Close TLS connection] 41 W -> D: On Success: "1000 OK auth" 42 43 ... ... 44 45 == Option 1: No PAM authentication (Default Console) == 46 ... no further action ... 47 48 == Option 2: Interactive PAM authentication (Console) == 49 50 note right of D: pam can only be used when connected \nwith a named console (__not__ default console) \nusing EnablePamAuthentication= yes 51 52 note left of W: (__RS__) is the Record Separator \n(ASCII-character 0x1e) 53 54 W <- D: "1001__RS__" (Pam Authentication required) 55 W -> D: "4001__RS__" (Interactive Pam (i.e. pam_unix)) 56 W <- D: "0x2" (type = PAM_PROMPT_ECHO_ON) 57 58 note left of W: type as bcd: \n0x0 (PAM_SUCCESS)\n0x1 (PAM_PROMPT_ECHO_OFF) \n0x2 (PAM_PROMPT_ECHO_ON) 59 60 W <- D: "Login:" 61 W -> D: "<cleartext pam-username>" 62 W <- D: "0x1" (type = PAM_PROMPT_ECHO_OFF) 63 W <- D: "Password:" 64 W -> D: "<cleartext pam-password>" 65 W <- D: On Success: "0x0" (PAM_SUCCESS) 66 W <- D: On Success: "0x0" (empty message) 67 68 == Option 3: Direct PAM authentication (WebUI) == 69 W <- D: "1001__RS__" (Pam Authentication required) 70 W -> D: "4002__RS__Username__RS__Password" (PAM credentials) 71 ... ... 72 73 == On any failure == 74 W <--> D: [Close TLS connection] 75 W <--> D: Close TCP connection 76 77 == On success == 78 W <- D: 1000__RS__OK:__RS__<director-name> Version: <version> (<date>) 79 W <- D: 1002__RS__<You are logged in as: <username>|You are connected using the default console> 80 81 ... run some console commands ... 82 83 W <-> D: [Close TLS connection] 84 W <-> D: Close TCP connection 85 86