[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM concepts (was: pam_{unix,pwdb}: crypt/md5 necessary?)

On Thu, Aug 03, 2000 at 12:08:28PM -0500, Steve Langasek wrote:
> Work on pam_pwdb started before glibc was widely used on Linux (and Linux 
> libc5 didn't have nsswitch), and for a while, pam_pwdb was better-maintained
> and more feature-rich than pam_unix.  The situation has changed now: pam_pwdb
> has been almost completely abandoned.  RedHat still uses it as their default,
> but they're also talking about switching to pam_unix in the future.  When they
> do, pam_unix will be the de facto authoritative module.

This week's beta uses pam_unix by default, and so will the next release.

> Is this how the pam_ldap module works?  I don't know if it has an 'auth' mode
> as well (perhaps there's a more secure way to authenticate against LDAP than
> by sending the password with getpwnam()).

Yes, it does.  The auth module attempts to do a simple bind to the
configured LDAP server as the user being authenticated, because a server
that's configured with the least amount of security in mind won't send
out the contents of a user's crypted password field.

As an aside, people tend to trip over this when they migrate from a
shadow system (where it's an "x") and they find that pam_unix can no
longer read their shadow information when pam_acct_mgmt() is called.

> There are also persistent problems with cracklib under RedHat, because
> cracklib itself has one dictionary path compiled in, and RedHat installs the
> dictionaries to another.

That should've been fixed by now.  If you're still seeing it happen in the
latest updates, let me know and I'll take another shot at fixing it.

> I think that modularity, in this case, means writing modules which are wholly
> independent of one another.  PAM modules should interoperate nicely, but no
> PAM module should depend on other modules to do its job.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []