Date: Thu, 27 Nov 2003 08:26:32 -1000 From: Clifton Royston <cliftonr@tikitechnologies.com> To: Terry Lambert <tlambert2@mindspring.com> Cc: freebsd-hackers@freebsd.org Subject: Re: getpwnam with md5 encrypted passwds Message-ID: <20031127082632.A27927@tikitechnologies.com> In-Reply-To: <3FC5A349.3FCA4DE9@mindspring.com>; from tlambert2@mindspring.com on Wed, Nov 26, 2003 at 11:10:01PM -0800 References: <20031126200101.8B45116A4D0@hub.freebsd.org> <20031126112014.C8040@tikitechnologies.com> <3FC5A349.3FCA4DE9@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 26, 2003 at 11:10:01PM -0800, Terry Lambert wrote:
> Clifton Royston wrote:
> > If you will need to do authentication after your program drops
> > privileges, your best course is probably to go through PAM, to install
> > a separate daemon which implements a PAM-supported protocol and which
> > runs with privileges, and then to enable that protocol as a PAM
> > authentication method for your application.
>
> [ ... RADIUS example with LDAP mention ... ]
>
> Sounds like a good approach, though I'll point out that had
> you tried LDP, you would have been hard-put to use LDAP as a
> proxy protocol to another authentication base (a PAM backend
> for an LDAP server, while not quite impossible, would be very
> hard).
Glad I went with my gut feeling rather than wasting a lot of time
looking into it then...
> How did you avoid the recursion problem of the RADIUS server
> trying to authenticate via pam_radius to the RADIUS server
> tyring to authenticate ...
That is avoided two ways, either of which would do to prevent the
deadly recursion.
First the RADIUS server (FreeRadius) is currently set up to implement
"Unix auth" directly against spwd.db, not via PAM. Second, it's not
enabled as the default PAM authentication method for all applications,
only for some specific application tokens.
We have an intention to add to the application auth against some
separate non-password db files, followed by OTP support down the road.
Hopefully as it uses PAM both should now be relatively easy.
-- Clifton
--
Clifton Royston -- cliftonr@tikitechnologies.com
Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed? Did you ever walk with ten cats on your head?
Did you ever milk this kind of cow? Well we can do it. We know how.
If you never did, you should. These things are fun, and fun is good.
-- Dr. Seuss
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031127082632.A27927>