[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: /etc/shadow and mod_auth_pam with pam_pwdb

From: Savochkin Andrey Vladimirovich <saw msu ru>
To: thi <ttn gnu org>
Cc: pam-list redhat com
Subject: Re: /etc/shadow and mod_auth_pam with pam_pwdb
Date: Sun, 21 Feb 1999 10:22:01 +0300

On Fri, Feb 19, 1999 at 10:07:40PM -0500, thi wrote:
> the problem is that the pam_pwdb library is unable to authenticate
> anyone other than the user running the server (httpd, in this case)
> using the /sbin/pwdb_chkpwd helper application.  pam_pwdb works great
> with most other servers as they are run as root.
> 
> i am trying to fix this situation by changing the interface between
> pam_pwdb and pwdb_chkpwd so the helper application takes both an userid
> and a password to verify it with /etc/shadow.  i also plan to restrict
> the read/execute permissions on /sbin/pwdb_chkpwd to owner/group and
> make httpd be a member of this group.
> 
> comments/suggestions?  (btw, using linux-pam-0.66 and pwdb-0.55)

You should understand well that processes/users which have the execute access
to your modified /sbin/pwdb_chkpwd are able to perform brute force attack.

If I needed to set up such http configuration I'd give to the httpd a separate
pair of passwd/shadow 
1. without root and other powerful accounts, and
2. with user passwords different from passwords for the other services.

Best regards
					Andrey V.
					Savochkin

Follow-Ups:
- Re: /etc/shadow and mod_auth_pam with pam_pwdb
  - From: Ingo Luetkebohle <ingo@devconsult.de>

References:
- /etc/shadow and mod_auth_pam with pam_pwdb
  - From: thi <ttn@gnu.org>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []