From owner-freebsd-questions@FreeBSD.ORG  Wed May 20 02:20:56 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E11D25CB
 for <questions@freebsd.org>; Wed, 20 May 2015 02:20:56 +0000 (UTC)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.isc.org", Issuer "RapidSSL CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A27931A6B
 for <questions@freebsd.org>; Wed, 20 May 2015 02:20:56 +0000 (UTC)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified))
 by mx.ams1.isc.org (Postfix) with ESMTPS id AA7CA1FCB13
 for <questions@freebsd.org>; Wed, 20 May 2015 02:20:51 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10302)
 id 6E78A216C1E; Wed, 20 May 2015 02:20:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by bikeshed.isc.org (Postfix) with ESMTP id 6CCCD216C1C
 for <questions@freebsd.org>; Wed, 20 May 2015 02:20:50 +0000 (UTC)
Date: Wed, 20 May 2015 02:20:50 +0000 (UTC)
From: Dan Mahoney <dmahoney@isc.org>
To: questions@freebsd.org
Subject: How difficult would it be to PAM-ify chsh?
Message-ID: <alpine.BSF.2.11.1505200213560.9379@bikeshed.isc.org>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
X-OpenPGP-Key-ID: 0xE919EC51
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD
 autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 02:20:57 -0000

Hey there,

It looks like chsh is pretty heavily tied in with YP/NIS, but nothing else 
(no pam, no libnss support).  Here in our work environment at DayJob, Inc, 
we use Kerberos, which means most of our users have a "*" in their 
master.passwd entries.  Annoyingly, this means that they can't change 
their base info.

So, has anyone come across, perhaps:

1)  a third-party installable dropin that could live in /usr/local/bin to 
do this sort of thing, that knows how to speak pam.

2) Or does someone know how difficult it would be to add the requisite 
hooks to this code to do the checking.  The tool is already setUID, after 
all, it has to be to manipulate the password file.

I could totally turn this into a PR, but I figured I'd ask here first.

-Dan