From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 26 13:20:19 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E3E716A4CE for ; Wed, 26 Nov 2003 13:20:19 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9362A43F75 for ; Wed, 26 Nov 2003 13:20:18 -0800 (PST) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 72BBE15410F; Wed, 26 Nov 2003 11:20:15 -1000 (HST) Date: Wed, 26 Nov 2003 11:20:14 -1000 From: Clifton Royston To: freebsd-hackers@freebsd.org Message-ID: <20031126112014.C8040@tikitechnologies.com> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20031126200101.8B45116A4D0@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031126200101.8B45116A4D0@hub.freebsd.org>; 12:01:01PM -0800 Subject: Re: getpwnam with md5 encrypted passwds X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 21:20:19 -0000 On Wed, Nov 26, 2003 at 12:01:01PM -0800, freebsd-hackers-request@freebsd.org wrote: > Date: Wed, 26 Nov 2003 16:05:30 +0200 > From: Peter Pentchev > Subject: Re: getpwnam with md5 encrypted passwds > To: Kai Mosebach > Cc: freebsd-hackers@freebsd.org > Message-ID: <20031126140530.GB307@straylight.m.ringlet.net> > Content-Type: text/plain; charset="windows-1251" > > On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote: > > > -----Urspr?ngliche Nachricht----- > > > Von: Terry Lambert [mailto:tlambert2@mindspring.com] > > > Gesendet: Mittwoch, 26. November 2003 13:34 > > > An: sapdb@komadev.de > > > Cc: freebsd-hackers@freebsd.org > > > Betreff: Re: getpwnam with md5 encrypted passwds > > > > > > "sapdb@komadev.de" wrote: > > > > i am trying to validate a given user password against my local passwd- > > > file with > > > > this piece of code : ... > > > I know you have the fix for the crypt of the wrong field, but the > > > proper thing to do is probably to use pan_authenticate() so that > > > you are insensitive to the athentication method being used, rather > > > than crypting and comparing it yourself. > > > > Looks interesting ... is this method also usable, when i dropped my privs ? > > I think Terry meant pam_authenticate() (not pan), but to answer your > question: no, when you drop your privileges, you do not have access to > at least the system's password database (/etc/spwd.db, generated from > /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any > consolation, getpwnam() won't return a password field when you have > dropped root privileges either. If you will need to do authentication after your program drops privileges, your best course is probably to go through PAM, to install a separate daemon which implements a PAM-supported protocol and which runs with privileges, and then to enable that protocol as a PAM authentication method for your application. For example, you can install a RADIUS server bound to localhost which runs as root and authenticates against the master password file. Configure the necessary /etc files for pam_radius as described in its man pages, and then add "pam_radius" as an authentication method in /etc/pam.conf for your application. Now you do need to make your application go through the PITA required to be a PAM client, but it can at least authenticate without needing root privileges itself. I implemented this pretty recently, so I know the approach works, even if it may seem rather roundabout. (LDAP would be another PAM-supported option, but RADIUS seemed simpler to set up in a hurry.) -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss