[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bunch of questions: pam_unix implementation... (long)

On Sun, Aug 13, Michael Ju. Tokarev wrote:

> In current pam_unix code, it is done by comparing pw_passwd field with
> "x" (to mean "plain shadow file") and with "*NP*" (to mean "Nis
> Password"),

Wrong. *NP* means you are not allowed to see the encrypted
password. You will get this, if you are not allowed to see
the password on a NIS+ server.

> all other values here means "take this value as a password".
> With the second case, [e]uid reset to those of the user before
> attempting
> to get shadow entry (this is a "special" privileges about I wrote
> above).

No, this is not to get the shadow entry. Thats wrong.
Only the user is allowed to see his password in the NIS+ database.
Even root of a client is not allowed to see it. So this is the
reason for this hack, because we need the encrypted password to
compare it.

> 1.a.  Iff we have another auth methods (LDAP,NIS+ etc), is this set of
> "magic" passwd values ("x", "*NP*) sufficient?  Maybe this set should be
> extended (e.g. "*LP*" as LDAP passwd, "*NPP*" as nis+ passwd etc), or,
> maybe
> just some magic character (like *) or "strange" password length should
> indicate that condition?  (Condition here: a: password stored elsewhere
> and b: to get it, we need to reset [e]uid).

This "x" and "*NP*" has nothing to do with PAM, it is implemented in the
database. So you need to change NIS+ and LDAP, but not pam_unix.

> So, the enforcement from nis client library (to get shadow entry of some
> person you should have uid equal to uid of that person) is not
> practically
> useful, since it is just easy to modify nis client code (compile it by
> itself, implement it in perl etc) to avoid such enforcement.

Recompiling does not help you, because than secureRPC will not longer
work and you cannot authenticate yourself against the NIS+ server.
This means you will never get the password.

Thorsten Kukuk       http://www.suse.de/~kukuk/       kukuk@suse.de
SuSE GmbH            Schanzaeckerstr. 10            90443 Nuernberg
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []