Re: getpwnam with md5 encrypted passwds

From: Clifton Royston (cliftonr_at_tikitechnologies.com)
Date: 11/27/03

  • Next message: rmkml: "question about _exit() function" 
    Date: Thu, 27 Nov 2003 08:26:32 -1000
To: Terry Lambert <tlambert2@mindspring.com>

    On Wed, Nov 26, 2003 at 11:10:01PM -0800, Terry Lambert wrote:
    > Clifton Royston wrote:
    > > If you will need to do authentication after your program drops
    > > privileges, your best course is probably to go through PAM, to install
    > > a separate daemon which implements a PAM-supported protocol and which
    > > runs with privileges, and then to enable that protocol as a PAM
    > > authentication method for your application.
    >
    > [ ... RADIUS example with LDAP mention ... ]
    >
    > Sounds like a good approach, though I'll point out that had
    > you tried LDP, you would have been hard-put to use LDAP as a
    > proxy protocol to another authentication base (a PAM backend
    > for an LDAP server, while not quite impossible, would be very
    > hard).
     
    Glad I went with my gut feeling rather than wasting a lot of time
    looking into it then...

    > How did you avoid the recursion problem of the RADIUS server
    > trying to authenticate via pam_radius to the RADIUS server
    > tyring to authenticate ...

    That is avoided two ways, either of which would do to prevent the
    deadly recursion.

    First the RADIUS server (FreeRadius) is currently set up to implement
    "Unix auth" directly against spwd.db, not via PAM. Second, it's not
    enabled as the default PAM authentication method for all applications,
    only for some specific application tokens.

    We have an intention to add to the application auth against some
    separate non-password db files, followed by OTP support down the road.
    Hopefully as it uses PAM both should now be relatively easy.
      -- Clifton 

    -- 
          Clifton Royston  --  cliftonr@tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
  • Next message: rmkml: "question about _exit() function"

    Relevant Pages