I had a similar requirement recently (enabling a web-based application, running under the username 'nobody', to use PAM to authenticate users), and ended up modifying the unix_chkpwd sources to allow the (compile time) definition of a list of user ids that were allowed to make password lookups for other uids. Worked great. I sent the changes back to the author (Andrew Morgan?? IIRC), so they *might* be in the latest release. If not, I'll be happy to send you my modifications. <Steve Reppucci> On Sun, 23 Jun 2002, Shane Beasley wrote: > This question seems like one which ought to have been asked over and over > again, yet I cannot find any suitable resolution; I am hoping that perhaps > someone can point me in the right direction. > > I endeavor to configure a few services to perform password authentication. > However, it seems that the available modules fall into one of two camps: > either allow root to authenticate any user, or allow any non-root user to > authenticate himself. The trouble is that neither Apache nor Exim runs as > root -- nor should they -- which, given the apparent arsenal of PAM > modules available, restricts them to authenticating the web amd mail > users, respectively, which isn't a very useful trick. > > The closest all-PAM solution that I've seen thus far is pam_pwdfile, which > allows authentication against some other file outside of the main password > database, but that strikes me as a hack in this particular situation. > Perhaps in the case where the protected service has a different set of > users than the system itself, this is a great module; but here, where the > whole point of the authentication is to make sure that you have an account > on the system, it's another story entirely: You've got a database which is > hidden from all eyes but root's for security reasons, and you're setting > up a cron job to make a copy of it so that some large, possibly insecure > (where "insecure" could just be "misconfigured") non-root process can read > it. > > The solution that I envision seems eerily similar to pam_pwdb, which uses > a tiny, provably secure setuid helper binary that does the authentication. > The trouble is, it needs to be able to authenticate *any* user, not just > the user doing the authentication. Basically, instead of the helper binary > calling getuid(), it would receive the user name from the PAM module. It > sounds simple enough, which is why I was hoping that someone had done this > already. :) > > If not, I may just have to do it myself... > > FWIW, I think that this is no less secure than SSH or IMAP-over-SSL when > done properly. It will only take place over an encrypted connection (I > already have SSL waiting to go for both Apache and Exim), and failed > attempts will hopefully be followed by a delay to discourage brute force > attacks. > > Any suggestions on how to go about doing this would be greatly > appreciated. > > Regards, > > Shane Beasley > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > -- Steve Reppucci sgr@logsoft.com | Logical Choice Software http://logsoft.com/ | =-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-=
