[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authenticating different services from different password files

> This may be addressed with the upcoming password mapping extensions. 
> However, there is still some debate within X/open what these will actually
> look like.  (I will not be implementing them any further until I get some
> more feedback from X/Open / Sun).
> Cheers
> Andrew
>> G'Day -
>> I'd like to be able to authenticate different services from different
>> files, eg. login users (telnet/rlogin/console) from /etc/passwd,
>> ftp users from /etc/passwd ftp and pop users from /etc/passwd pop
>> Are there flags for any of the current PAM modules to support this?
>> Cheers,
>> Greg

	Although it's not a PAM issue at all I'd like to 
	note that it is possible to use different /etc/passwd's
	for different services -- so long as you're willing to 
	run each service inside of a chroot environment.  This 
	can be a pain to set up.

	For one system I set up I simply made two installations
	(RedHat 4.0 in this case) -- one onto one drive and another
	onto another.  Then I changed the /etc/rc* files on the 
	boot device to do a chroot to the root of the other device
	where I ran all of the normal services (inetd, sendmail, etc).

	In the true root I ran ssh, syslog, and cron (with 
	extra copies of syslog and cron in the chroot).  

	(true root)/cron does tripwire and cops and other 
	host specific monitoring.

	So, it is possible to configure you system with as many
	different account databases as you need even without PAM.

	Many sites have chosen to just set up separate servers
	for each service that needs different administrative info
	(like different accounts and passwords).  This is probably 
	because the redundancy is easier to manage and less expensive
	than the complexity of doing this on a single system.  They 
	also benefit from excess capacity and less reliance (a single
	failure is less likely to affect other services) and greater
	administrative flexibility (different sys admins can manage
	different systems.

Jim Dennis,                                info@mail.starshine.org
Proprietor,                          consulting@mail.starshine.org
Starshine Technical Services              http://www.starshine.org

        PGP  1024/2ABF03B1 Jim Dennis <jim@starshine.org>
        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []