[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How do I get rid of passwd/shadow files

On Wed, 28 Oct 1998, Luke Kenneth Casson Leighton wrote:

> > If some of you have succeeded in removing the need for password
> > files for services which require user authentication I would be
> > extremely greatful for any tips.
> richard, this is exactly what i would like to achieve, too.  the
> discussions underway, people advise that there exist protocols already to
> do this, and they seem to be saying use those, don't reinvent the wheel in
> PAM.
> however, PAM has been adopted as standard in redhat linux, and that
> carries weight.  if those other protocols are _also_ adopted, then i will
> join development lists on them and help out.

But in a very real sense, that's not what PAM is for, and it's not what
it's used for.  The confusion probably stems from Red Hat's use of the
pwdb library for manipulating password and group information, and PAM's
inclusion of a module (pam_pwdb, as opposed to pam_unix) that uses pwdb to
do standard Unix-style password authentication.

Using pwdb here *does* gain you access to a RADIUS database while
authenticating users, but is of no help to programs that don't explicitly
use pwdb to retrieve user information.  You can recompile applications
adding the pwdb header files, and the calls to the getpw* and getgr*
functions get mapped to the POSIX-compatible functions provided by pwdb.

Red Hat doesn't do this.  With the NSS interface provided by glibc, the
best solution is probably to just write a module to interface to RADIUS
and let all of your installed programs benefit without the need for
recompilation.  The key assumption made with NSS (AFAIK) is that the user
information can be gotten without authenticating to the service, so if all
access to a RADIUS database is password-protected, allowances would need
to be made.

If your copy of pwdb provides all of the information that pwdb's "unix"
module provides, you might be able to achieve this with an nss_pwdb module
The module incurs definite overhead from starting up pwdb and shutting it
down again (just as calls to pwdb's compatibility functions do), but it
might work for you.

Hope this helps,


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []