> > This question comes up often enough that I've considered writing a number of > unix_chkpwd variants that could be shipped with Linux-PAM (but not enabled by > default!). I'm still not sure if this is a good idea, or if it's just inviting > trouble when admins start using that functionality without examining the > security implications... > You could probably modify unix_chkpwd to check a config file, or hardcoded group for "trusted" users that can verify any uid, then make it suid root. Would require some special care, but it might prove useful. Then you can just make the web server's uid/gid part of the trusted group, so it can verify from pam_unix.so. Ben -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
