This question seems like one which ought to have been asked over and over again, yet I cannot find any suitable resolution; I am hoping that perhaps someone can point me in the right direction. I endeavor to configure a few services to perform password authentication. However, it seems that the available modules fall into one of two camps: either allow root to authenticate any user, or allow any non-root user to authenticate himself. The trouble is that neither Apache nor Exim runs as root -- nor should they -- which, given the apparent arsenal of PAM modules available, restricts them to authenticating the web amd mail users, respectively, which isn't a very useful trick. The closest all-PAM solution that I've seen thus far is pam_pwdfile, which allows authentication against some other file outside of the main password database, but that strikes me as a hack in this particular situation. Perhaps in the case where the protected service has a different set of users than the system itself, this is a great module; but here, where the whole point of the authentication is to make sure that you have an account on the system, it's another story entirely: You've got a database which is hidden from all eyes but root's for security reasons, and you're setting up a cron job to make a copy of it so that some large, possibly insecure (where "insecure" could just be "misconfigured") non-root process can read it. The solution that I envision seems eerily similar to pam_pwdb, which uses a tiny, provably secure setuid helper binary that does the authentication. The trouble is, it needs to be able to authenticate *any* user, not just the user doing the authentication. Basically, instead of the helper binary calling getuid(), it would receive the user name from the PAM module. It sounds simple enough, which is why I was hoping that someone had done this already. :) If not, I may just have to do it myself... FWIW, I think that this is no less secure than SSH or IMAP-over-SSL when done properly. It will only take place over an encrypted connection (I already have SSL waiting to go for both Apache and Exim), and failed attempts will hopefully be followed by a delay to discourage brute force attacks. Any suggestions on how to go about doing this would be greatly appreciated. Regards, Shane Beasley
