[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix_auth cleanup: NIS+ issues

On Fri, Jun 11, Stephen Langasek wrote:

> > How do we pass on the above information to the RPC layer? It's a bit
> > of overkill to put aditional code into librpc just for this
> > purpose. Alternatively, we can use a copy of authdes_clnt.c, and replace
> > the keyserv part with our cooked information. This is linked into
> > the PAM module. Instead of the seteuid/getspnam calls in PAM, we do
> > this:
> > 	AUTH	*foo;
> > 	CLNT	*bar;
> > 
> > 	foo = authdes_cooked_create(nisplus_serv, window, 0,
> > 				netname, &conv_key);
> > 	bar = clntudp_create(...);
> > 	auth_destroy(bar->cl_auth);
> > 	bar->cl_auth = foo;
> > 
> > 	/* Call NIS+ and get the passwd */
> > 
> > 	clnt_destroy(bar);
> My one reservation is that, if something like this is done which checks the
> password directly against the NIS+ server instead of using the NSS
> interface, does this any longer belong in the module called pam_unix, or
> should it be moved to a separate module?  I guess to a certain extent,
> compatibility with Sun's implementation is desirable.  Just another question
> to consider in all of this.

If we do this, we need to implent NSS again in PAM -> look at the pam_pwdb
module + libpwdb and the problems with them. Because you couldn't use longer 
/etc/nsswitch.conf. Or you need to implement all possible NSS modules
which could access the NIS+ table and call the other modules yourself. 
In the moment there are only libnss_compat and libnss_nisplus which do
NIS+ querys. But this will be tricky enough.


Thorsten Kukuk      http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE GmbH           Schanzaeckerstr. 10             90443 Nuernberg
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []