Note to list admin: Cancel my other post, I was subscribed the wrong address. --- I'm picking up work on the pam-mysql module again, and I've come across a issue. Is it better to send the user-entered encrypted password to the mysql server to compare to what it has, or ask the server for the stored encrypted password and compare it within the module. Some sql to help clarify: select user from passwd-db where user='username' and passwd = 'encryptedpassword'; This would return a username if the password matches and 0 results if they don't. - or - select password from passwd-db where user='username'; This will return the encrypted password that the database has stored. In the first case, we have to send a password to the database which could be logged my the server if select queries logged. The second case requires access to a known good password (in encrypted form) be sent to us to check. There doesn't seem to be this issue when /etc/passwd is used for example, because everything is on the same machine. With pam_mysql, there is potential for different hosts, etc. Does anyone have an suggestions which method would be better? (for some value of better) -james _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
