Thanks guys. That does make sense now. I'll think I'll do what you suggested
and modify unix_chkpwd. I guess the thing that stumped me (and caused untold
hours of pain) was that the default PAM libs that shipped with the Cobalt
RAQ3 must have already allowed user/group 'http' to verify any
login/password against /etc/shadow, which I automatically assumed to be the
norm. Ohh well, you live and learn eh.

Cheers...
Roger

----- Original Message -----
From: "Ben Collins" <bcollinsdebian.org>
To: <pam-listredhat.com>
Sent: Tuesday, February 20, 2001 2:57 PM
Subject: Re: /etc/shadow problem

> >
> > This question comes up often enough that I've considered writing a
number of
> > unix_chkpwd variants that could be shipped with Linux-PAM (but not
enabled by
> > default!). I'm still not sure if this is a good idea, or if it's just
inviting
> > trouble when admins start using that functionality without examining the
> > security implications...
> >
>
> You could probably modify unix_chkpwd to check a config file, or
> hardcoded group for "trusted" users that can verify any uid, then make
> it suid root. Would require some special care, but it might prove
> useful. Then you can just make the web server's uid/gid part of the
> trusted group, so it can verify from pam_unix.so.
>
> Ben
>
> --
> -----------=======-=-======-=========-----------=====------------=-=-----
-
> / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux
\
> ` bcollinsdebian.org -- bcollinsopenldap.org -- bcollinslinux.com
'
>
`---=========------=======-------------=-=-----=-===-======-------=--=---'
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-listredhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]