[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

non-root authentication of non-root users



This question seems like one which ought to have been asked over and over
again, yet I cannot find any suitable resolution; I am hoping that perhaps
someone can point me in the right direction.

I endeavor to configure a few services to perform password authentication.
However, it seems that the available modules fall into one of two camps:
either allow root to authenticate any user, or allow any non-root user to
authenticate himself. The trouble is that neither Apache nor Exim runs as
root -- nor should they -- which, given the apparent arsenal of PAM
modules available, restricts them to authenticating the web amd mail
users, respectively, which isn't a very useful trick.

The closest all-PAM solution that I've seen thus far is pam_pwdfile, which
allows authentication against some other file outside of the main password
database, but that strikes me as a hack in this particular situation.
Perhaps in the case where the protected service has a different set of
users than the system itself, this is a great module; but here, where the
whole point of the authentication is to make sure that you have an account
on the system, it's another story entirely: You've got a database which is
hidden from all eyes but root's for security reasons, and you're setting
up a cron job to make a copy of it so that some large, possibly insecure
(where "insecure" could just be "misconfigured") non-root process can read
it.

The solution that I envision seems eerily similar to pam_pwdb, which uses
a tiny, provably secure setuid helper binary that does the authentication.
The trouble is, it needs to be able to authenticate *any* user, not just
the user doing the authentication. Basically, instead of the helper binary
calling getuid(), it would receive the user name from the PAM module. It
sounds simple enough, which is why I was hoping that someone had done this
already. :)

If not, I may just have to do it myself...

FWIW, I think that this is no less secure than SSH or IMAP-over-SSL when
done properly. It will only take place over an encrypted connection (I
already have SSL waiting to go for both Apache and Exim), and failed
attempts will hopefully be followed by a delay to discourage brute force
attacks.

Any suggestions on how to go about doing this would be greatly
appreciated.

Regards,

Shane Beasley





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []