[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: alternate password file module?



vorlon@netexpress.net wrote:

> On Wed, 28 Jul 1999, Jesse Off wrote:
>
> > Is there any PAM module available that can take a different password for a
> > user rather than the ones in /etc/passwd or /etc/shadow?  Specifically, I
> > would like to be able to have imap or pop3 servers use a separate password
> > than the one that is in the /etc/passwd database.
>
> I've heard talk about such a module in the past, but to my knowledge no one
> has written one yet.
>
> I think part of the reason for this is that it's almost never really useful.
> If the users are to be granted access to system resources, they have to have
> an identity recognized by the system, which means they must be present in
> the password file--or at least in some other database that can be accessed
> through NSS.  [snip]

This was fine until you said "which means they must be present in the password
file".

It is entirely possible to have users on the system who are not present in the
password file (or similar).  Very few programs actually require a mapping from
UID to username in the password file -- login and ftp are the only two I can
think of off hand (PAM notwithstanding).  I suppose /bin/mail (for local mail
delivery) does as well, but I suspect that this can be configured around
anyway.

Linux (and Unix in general) doesn't much care how a UID is assigned to a
process.  It certainly doesn't care that a UID should appear in a password
file.  For example, in OpenMail, we have OpenMail users that are associated
with a unique user ID in the OpenMail authenitcation database (aka password
file).  When a user authenticates themselves against OpenMail, then the process
that checked authentication does a setuid() and everybody is happy.

Of course, there's always the odd broken program that thinks that UIDs should
appear in the password file (some versions of "tar" for example) ... but
personally, I'd rather live with that than 20,000 or so useless entries in
/etc/passwd.

Oh yes, to the original question.  It's a piece of cake to convert an existing
PAM module to use something other than /etc/passwd (or similar).  In general,
all you need to do is write routines like getpwuid() , putpwent(), getgrgid(),
etc and drop then into place.

jch

begin:vcard 
n:Haxby;John
tel;work:+44 1344 763711
x-mozilla-html:FALSE
url:http://www.hp.com/go/OpenMail
org:Hewlett Packard;OpenMail R&D<img src="http://www.ice.hp.com/cyc/om/50/graphics/omlinux.jpg"; width=53 height=62 align=top>
adr:;;Nine Mile Ride;Wokingham;Berks;RG40 3LL;England
version:2.1
email;internet:jch@pwd.hp.com
x-mozilla-cpt:;14976
fn:John Haxby
end:vcard

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []