[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: alternate password file module?




On Sat, 31 Jul 1999, Stephen Langasek wrote:

> On Wed, 28 Jul 1999, Jesse Off wrote:
> 
> > Is there any PAM module available that can take a different password for a
> > user rather than the ones in /etc/passwd or /etc/shadow?  Specifically, I
> > would like to be able to have imap or pop3 servers use a separate password
> > than the one that is in the /etc/passwd database.
> 
> I've heard talk about such a module in the past, but to my knowledge no one
> has written one yet.
> 
> I think part of the reason for this is that it's almost never really useful.
> If the users are to be granted access to system resources, they have to have
> an identity recognized by the system, which means they must be present in
> the password file--or at least in some other database that can be accessed
> through NSS.  If you use an NSS module which reads an alternate password
> file, you have to configure this globally for the system... so every other
> application on the system will know about them as well, and you might as
> well leave them in the main shadow/password files.

I think you misunderstood.  All I would prefer to use an alternate
password file for is the password.  I do not wish to override any of the
other fields in /etc/passwd or /etc/shadow.  I think this module would be
extremely useful as administrators could assign separate passwords for
users for separate PAMized system services.  The benefits would mostly be
security related as crackers that may have sniffed the POP3 password
wouldn't also be able to use that password for other services (telnet,
ftp, etc).

I implemented my own solution through a hack to the UW pop3/imap
servers.  With this hack, each user has a file in their homedir called
.poppwd which contains a different crypt()'ed password than the one in
/etc/passwd.  If the file exists the remote pop3 user must supply the
password contained in the crypted ~/.poppwd, if not, the one in
/etc/passwd must be given for authentication.  


> A simpler solution, IMHO, would be to put these users in your
> password/shadow files with an invalid shell (and homedir if you like), and
> use PAM to limit access to other services by group.  If properly configured,
> the difference in security is minimal--anyone who could bypass this could
> just as easily add a new user to the system.

This cannot be done.  This machine also serves logins and people need a
shell.  Your 'simpler' solution would require me to build and
administrate another machine dedicated for POP3 and email and devise some 
easy way for users to be able to change their POP password without a
shell to run the 'passwd' command from.  (I've written a quick util called
poppasswd for my UW imap/pop3 hack that works just like /bin/passwd except
it updates the ~/.poppwd file)

//Jesse Off



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []