[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How do I get rid of passwd/shadow files

On Wed, Oct 28, 1998 at 10:55:12AM +0800, Richard Lennerts wrote:

> Hi,
Wow.. It looks like several people are looking for a solution with this.

> The problem is that I would like to totally remove any reliance on 
> password/shadow files from my systems, but most applications, eg. 
> login, still require access to these files even after PAM has 
> authenticated the user. 
This is my first (big) obstacle with PAM: getting info from other sources
and traditionally stored in passwd files.

> If some of you have succeeded in removing the need for password files 
> for services which require user authentication I would be extremely 
> greatful for any tips.
In my ISP, we use an (My)SQL to authenticate dial-in users via radius.
Also, I've set up another table with virtualdomain email, a thing that's
difficult using passwd-based users. The point is that you cant have
easily two users with the same name and different domain, eg.



as they both would be the first UNIX login "jonah". What we've done is
having the POP server to understand a username like "jonah@encomix.es".
The checkpassword program (we're using qmail) looks up in database user
"jonah" AND domain "encomix.es", and get info about password and such.

Uid and gid is solved giving all email users the same uid/gid, and having
a chroot'd ftp daemon for users. Uid and gid for virtualdomains are taken
of an actual UNIX login. That's what we call "domain accounts".

The functional schema is something like this:

:POP server connected
USER jonah@encomix.es
PASS secret
:Lookup jonah AND encomix.es
:Compare password
:UNIX domain account for "encomix.es" is "encomix"
:Get uid/gid/homedir from "encomix" passwd account
: homedir."/jonah" is user's homedir

The reason of domain accounts is that you can have several machines with
several home directories/uid/gid, so that machine-private information is
not actual stored in SQL db.

I dont think it'll be difficult to implement an authenticating PAM module,
but information gathering is another thing. PAM-enabled FTP daemons use PAM
to authenticate, but then usually do getpwnam or so.. I wonder if this 
would suppose a bigger hack... :-?

Jonathan Ruano <kobalt@james.encomix.es>
Intercomputer soft, s.a.
Dpto. de Tecnologia

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []