[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-root authentication of non-root users

On Sun, Jun 23, 2002 at 01:29:32PM -0400, David Miller wrote:
> On 6/23/02 12:07 PM -0500, Shane Beasley wrote:

> > The solution that I envision seems eerily similar to pam_pwdb, which uses
> > a tiny, provably secure setuid helper binary that does the authentication.
> > The trouble is, it needs to be able to authenticate *any* user, not just
> > the user doing the authentication. Basically, instead of the helper binary
> > calling getuid(), it would receive the user name from the PAM module. It
> > sounds simple enough, which is why I was hoping that someone had done this
> > already. :)

> This would be the optimum solution.  I looked into hacking it to do that at
> one point and never did get it finished.  The solution suggested in docs
> for the mod_auth_pam module for Apache is to make /etc/shadow be
> group-readable to apache.  This isn't all that secure either, but it's not
> quite as bad as making it world-readable, and it works until someone comes
> up with a setuid helper binary that could authenticate anyone.

pwdb_chkpwd (and likewise, unix_chkpwd) is a rather simple utility --
removing the uid checks and recompiling should be straightforward.
There simply hasn't been any coordinated interest in providing this
functionality by default, probably because most development on PAM
modules has moved towards client-server authentication schemes such as
Kerberos, LDAP, and Samba.

Steve Langasek
postmodern programmer

Attachment: pgp00001.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []