[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: non-root authentication of non-root users

I had a similar requirement recently (enabling a web-based
application, running under the username 'nobody', to use PAM to
authenticate users), and ended up modifying the unix_chkpwd sources
to allow the (compile time) definition of a list of user ids that
were allowed to make password lookups for other uids.  Worked great.

I sent the changes back to the author (Andrew Morgan?? IIRC), so
they *might* be in the latest release. If not, I'll be happy to send
you my modifications.

<Steve Reppucci>

On Sun, 23 Jun 2002, Shane Beasley wrote:

> This question seems like one which ought to have been asked over and over
> again, yet I cannot find any suitable resolution; I am hoping that perhaps
> someone can point me in the right direction.
> I endeavor to configure a few services to perform password authentication.
> However, it seems that the available modules fall into one of two camps:
> either allow root to authenticate any user, or allow any non-root user to
> authenticate himself. The trouble is that neither Apache nor Exim runs as
> root -- nor should they -- which, given the apparent arsenal of PAM
> modules available, restricts them to authenticating the web amd mail
> users, respectively, which isn't a very useful trick.
> The closest all-PAM solution that I've seen thus far is pam_pwdfile, which
> allows authentication against some other file outside of the main password
> database, but that strikes me as a hack in this particular situation.
> Perhaps in the case where the protected service has a different set of
> users than the system itself, this is a great module; but here, where the
> whole point of the authentication is to make sure that you have an account
> on the system, it's another story entirely: You've got a database which is
> hidden from all eyes but root's for security reasons, and you're setting
> up a cron job to make a copy of it so that some large, possibly insecure
> (where "insecure" could just be "misconfigured") non-root process can read
> it.
> The solution that I envision seems eerily similar to pam_pwdb, which uses
> a tiny, provably secure setuid helper binary that does the authentication.
> The trouble is, it needs to be able to authenticate *any* user, not just
> the user doing the authentication. Basically, instead of the helper binary
> calling getuid(), it would receive the user name from the PAM module. It
> sounds simple enough, which is why I was hoping that someone had done this
> already. :)
> If not, I may just have to do it myself...
> FWIW, I think that this is no less secure than SSH or IMAP-over-SSL when
> done properly. It will only take place over an encrypted connection (I
> already have SSL waiting to go for both Apache and Exim), and failed
> attempts will hopefully be followed by a delay to discourage brute force
> attacks.
> Any suggestions on how to go about doing this would be greatly
> appreciated.
> Regards,
> Shane Beasley
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list

Steve Reppucci                                       sgr@logsoft.com |
Logical Choice Software                          http://logsoft.com/ |
=-=-=-=-=-=-=-=-=-=-  My God!  What have I done?  -=-=-=-=-=-=-=-=-=-=

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []