--Dzs2zDY0zgkG72+7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Jun 23, 2002 at 01:29:32PM -0400, David Miller wrote: > On 6/23/02 12:07 PM -0500, Shane Beasley wrote: > > The solution that I envision seems eerily similar to pam_pwdb, which uses > > a tiny, provably secure setuid helper binary that does the authentication. > > The trouble is, it needs to be able to authenticate *any* user, not just > > the user doing the authentication. Basically, instead of the helper binary > > calling getuid(), it would receive the user name from the PAM module. It > > sounds simple enough, which is why I was hoping that someone had done this > > already. :) > This would be the optimum solution. I looked into hacking it to do that at > one point and never did get it finished. The solution suggested in docs > for the mod_auth_pam module for Apache is to make /etc/shadow be > group-readable to apache. This isn't all that secure either, but it's not > quite as bad as making it world-readable, and it works until someone comes > up with a setuid helper binary that could authenticate anyone. pwdb_chkpwd (and likewise, unix_chkpwd) is a rather simple utility -- removing the uid checks and recompiling should be straightforward. There simply hasn't been any coordinated interest in providing this functionality by default, probably because most development on PAM modules has moved towards client-server authentication schemes such as Kerberos, LDAP, and Samba. Steve Langasek postmodern programmer --Dzs2zDY0zgkG72+7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9FhVaKN6ufymYLloRAhYVAJ9fM8IS83IR5ZstZBSWh+xf62s5qwCgnGbM qv3WVSzKwAo+0i/KsxsUxco= =SAhk -----END PGP SIGNATURE----- --Dzs2zDY0zgkG72+7--
