[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/shadow and mod_auth_pam with pam_pwdb



On Fri, Feb 19, 1999 at 10:07:40PM -0500, thi wrote:
> the problem is that the pam_pwdb library is unable to authenticate
> anyone other than the user running the server (httpd, in this case)
> using the /sbin/pwdb_chkpwd helper application.  pam_pwdb works great
> with most other servers as they are run as root.
> 
> i am trying to fix this situation by changing the interface between
> pam_pwdb and pwdb_chkpwd so the helper application takes both an userid
> and a password to verify it with /etc/shadow.  i also plan to restrict
> the read/execute permissions on /sbin/pwdb_chkpwd to owner/group and
> make httpd be a member of this group.
> 
> comments/suggestions?  (btw, using linux-pam-0.66 and pwdb-0.55)

You should understand well that processes/users which have the execute access
to your modified /sbin/pwdb_chkpwd are able to perform brute force attack.

If I needed to set up such http configuration I'd give to the httpd a separate
pair of passwd/shadow 
1. without root and other powerful accounts, and
2. with user passwords different from passwords for the other services.

Best regards
					Andrey V.
					Savochkin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []