Re: getpwnam with md5 encrypted passwds

• Previous message: Tim Kientzle: "Re: getpwnam with md5 encrypted passwds"
• Maybe in reply to: sapdb_at_komadev.de: "getpwnam with md5 encrypted passwds"
• Next in thread: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Reply: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Reply: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 26 Nov 2003 11:20:14 -1000
To: freebsd-hackers@freebsd.org

On Wed, Nov 26, 2003 at 12:01:01PM -0800, freebsd-hackers-request@freebsd.org wrote:
> Date: Wed, 26 Nov 2003 16:05:30 +0200
> From: Peter Pentchev <roam@ringlet.net>
> Subject: Re: getpwnam with md5 encrypted passwds
> To: Kai Mosebach <kai@freshx.de>
> Cc: freebsd-hackers@freebsd.org
> Message-ID: <20031126140530.GB307@straylight.m.ringlet.net>
> Content-Type: text/plain; charset="windows-1251"
>
> On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
> > > -----Urspr?ngliche Nachricht-----
> > > Von: Terry Lambert [mailto:tlambert2@mindspring.com]
> > > Gesendet: Mittwoch, 26. November 2003 13:34
> > > An: sapdb@komadev.de
> > > Cc: freebsd-hackers@freebsd.org
> > > Betreff: Re: getpwnam with md5 encrypted passwds
> > >
> > > "sapdb@komadev.de" wrote:
> > > > i am trying to validate a given user password against my local passwd-
> > > file with
> > > > this piece of code :
...
> > > I know you have the fix for the crypt of the wrong field, but the
> > > proper thing to do is probably to use pan_authenticate() so that
> > > you are insensitive to the athentication method being used, rather
> > > than crypting and comparing it yourself.
> >
> > Looks interesting ... is this method also usable, when i dropped my privs ?
>
> I think Terry meant pam_authenticate() (not pan), but to answer your
> question: no, when you drop your privileges, you do not have access to
> at least the system's password database (/etc/spwd.db, generated from
> /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any
> consolation, getpwnam() won't return a password field when you have
> dropped root privileges either.

  If you will need to do authentication after your program drops
privileges, your best course is probably to go through PAM, to install
a separate daemon which implements a PAM-supported protocol and which
runs with privileges, and then to enable that protocol as a PAM
authentication method for your application.
 
  For example, you can install a RADIUS server bound to localhost which
runs as root and authenticates against the master password file.
Configure the necessary /etc files for pam_radius as described in its
man pages, and then add "pam_radius" as an authentication method in
/etc/pam.conf for your application. Now you do need to make your
application go through the PITA required to be a PAM client, but it can
at least authenticate without needing root privileges itself. I
implemented this pretty recently, so I know the approach works, even if
it may seem rather roundabout. (LDAP would be another PAM-supported
option, but RADIUS seemed simpler to set up in a hurry.)

  -- Clifton

-- 
          Clifton Royston  --  cliftonr@tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

• Previous message: Tim Kientzle: "Re: getpwnam with md5 encrypted passwds"
• Maybe in reply to: sapdb_at_komadev.de: "getpwnam with md5 encrypted passwds"
• Next in thread: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Reply: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Reply: Terry Lambert: "Re: getpwnam with md5 encrypted passwds"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages S/Key keyinit(1) authentication (lack thereof) + sudo(1) ... S/Key keyinitauthentication + sudo ... Disable S/Key in favor of OPIE ... higher system privileges (i.e., root). ... (Bugtraq) [UNIX] S/Key Keyinit Authentication and Sudo Vulnerability ... S/Key Keyinit Authentication and Sudo Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... higher system privileges (i.e., root). ... (Securiteam) Re: getpwnam with md5 encrypted passwds ... > Clifton Royston wrote: ... >> runs with privileges, and then to enable that protocol as a PAM ... >> authentication method for your application. ... (freebsd-hackers) Re: LDAP Authentication from Linux ... I think you're right about the Query privileges. ... user marsh authentication failed; ... Depending how you have LDAP set up, remember that the user you configure must have privileges to query AD. ... (microsoft.public.windows.server.sbs) Re: getpwnam with md5 encrypted passwds ... > runs with privileges, and then to enable that protocol as a PAM ... > authentication method for your application. ... How did you avoid the recursion problem of the RADIUS server ... (freebsd-hackers)