Date: Wed, 26 Nov 2003 11:20:14 -1000 From: Clifton Royston <cliftonr@tikitechnologies.com> To: freebsd-hackers@freebsd.org Subject: Re: getpwnam with md5 encrypted passwds Message-ID: <20031126112014.C8040@tikitechnologies.com> In-Reply-To: <20031126200101.8B45116A4D0@hub.freebsd.org>; 12:01:01PM -0800 References: <20031126200101.8B45116A4D0@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 26, 2003 at 12:01:01PM -0800, freebsd-hackers-request@freebsd.org wrote:
> Date: Wed, 26 Nov 2003 16:05:30 +0200
> From: Peter Pentchev <roam@ringlet.net>
> Subject: Re: getpwnam with md5 encrypted passwds
> To: Kai Mosebach <kai@freshx.de>
> Cc: freebsd-hackers@freebsd.org
> Message-ID: <20031126140530.GB307@straylight.m.ringlet.net>
> Content-Type: text/plain; charset="windows-1251"
>
> On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
> > > -----Urspr?ngliche Nachricht-----
> > > Von: Terry Lambert [mailto:tlambert2@mindspring.com]
> > > Gesendet: Mittwoch, 26. November 2003 13:34
> > > An: sapdb@komadev.de
> > > Cc: freebsd-hackers@freebsd.org
> > > Betreff: Re: getpwnam with md5 encrypted passwds
> > >
> > > "sapdb@komadev.de" wrote:
> > > > i am trying to validate a given user password against my local passwd-
> > > file with
> > > > this piece of code :
...
> > > I know you have the fix for the crypt of the wrong field, but the
> > > proper thing to do is probably to use pan_authenticate() so that
> > > you are insensitive to the athentication method being used, rather
> > > than crypting and comparing it yourself.
> >
> > Looks interesting ... is this method also usable, when i dropped my privs ?
>
> I think Terry meant pam_authenticate() (not pan), but to answer your
> question: no, when you drop your privileges, you do not have access to
> at least the system's password database (/etc/spwd.db, generated from
> /etc/passwd and /etc/master.passwd by pwd_mkdb(8)). If this will be any
> consolation, getpwnam() won't return a password field when you have
> dropped root privileges either.
If you will need to do authentication after your program drops
privileges, your best course is probably to go through PAM, to install
a separate daemon which implements a PAM-supported protocol and which
runs with privileges, and then to enable that protocol as a PAM
authentication method for your application.
For example, you can install a RADIUS server bound to localhost which
runs as root and authenticates against the master password file.
Configure the necessary /etc files for pam_radius as described in its
man pages, and then add "pam_radius" as an authentication method in
/etc/pam.conf for your application. Now you do need to make your
application go through the PITA required to be a PAM client, but it can
at least authenticate without needing root privileges itself. I
implemented this pretty recently, so I know the approach works, even if
it may seem rather roundabout. (LDAP would be another PAM-supported
option, but RADIUS seemed simpler to set up in a hurry.)
-- Clifton
--
Clifton Royston -- cliftonr@tikitechnologies.com
Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed? Did you ever walk with ten cats on your head?
Did you ever milk this kind of cow? Well we can do it. We know how.
If you never did, you should. These things are fun, and fun is good.
-- Dr. Seuss
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031126112014.C8040>