OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wil Cooley (wcooleynakedape.cc)
Date: Wed Nov 21 2001 - 09:38:01 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Also Sprach Andreas Hasenack:
    > Em Wed, Nov 21, 2001 at 07:05:40AM -0800, Wil Cooley escreveu:
    > > successfully opening /etc/shadow, although I guess not. (I guess
    > > I assumed pam_unix.so would call unix_chkpwd if it wasn't root.)
    >
    > It does, but only to authenticate the user calling it, not somebody
    > else, iirc.

    Ah, okay. I thought it would work like SASL's pwcheck/saslauthd.

    > > > Or use the pwcheck method in SASL, which also requires another
    > > > daemon. I've never tried that, though.
    > >
    > > grep'ing through the txts with my pam distribution, I don't see
    > > any docs on configuring unix_chkpwd, how the heck to use it?
    >
    > It's part of the sasl package. I think the only doc is a small readme
    > and a FAQ entry, you should be able to find it in the tarball or at
    > the sasl website.

    No, I was talking about PAM's unix_chkpwd, not Cyrus SASL's pwcheck. I
    see from what you wrote above what unix_chkpwd is for.

    > But it's only for plaintext passwords, if you use /etc/sasldb,
    > for instance, it should be enough to have that file readable by the
    > postfix daemon. I tried it once with openldap running as an "ldap"
    > user and granting read access to that file (sasldb) for the "ldap"
    > group, it worked. But this gets more complex if other daemons need
    > read access to it too.

    Right, that's what I did. The sasldb my Cyrus IMAP rpms made was
    owned by cyrus:mail, and smtpd happens to run :mail, so a simple
    addition of group writability took care of it.

    The idiot I am, I didn't try to un-shadow my password file to
    test it. I've set this up about once every year for the last 3
    years and I keep forgetting the debugging tricks I learn...

    Wil 

    -- 
W. Reilly Cooley                           wcooleynakedape.cc
Naked Ape Consulting                        http://nakedape.cc
irc.linux.com                             #orlug,#pdxlug,#lnxs

    "There was a vague, unpleasant manginess about his appearence; he somehow
seemed dirty, though a close glance showed him as carefully shaven as an
actor, and clad in immaculate linen."
-- H.L. Mencken, on the death of William Jennings Bryan

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD4DBQE7+8pZJpn3uYWUEaoRAoSeAJd11sg315e9DzdbSgxo6s5uTSKdAJ9iFfsl zdlxawVf4r2LK2fd/eQPdQ== =VdFi -----END PGP SIGNATURE-----

    _______________________________________________ Pam-list mailing list Pam-listredhat.com https://listman.redhat.com/mailman/listinfo/pam-list