Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 12 Aug 2012 13:34:17 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Design for extensible passwd[/shadow?] db support

On Sun, Aug 12, 2012 at 01:38:02AM -0400, Rich Felker wrote:
> The first main question is what protocol to use. One really simple
> choice would be a plain text protocol where the name/uid of requested
> user is sent over a socket (probably a datagram unix socket) and the
> response comes back in standard colon-delimited passwd format for the
> existing passwd code to parse. This seems very clean, but as far as I
> know it doesn't have any existing implementations.
> 
> Alternatively, we could make musl speak an existing query language
> (e.g. LDAP) directly, such that it could interface with any existing
> server out there that speaks the chosen protocol, or with a proxy that
> translates to other protocols like NIS.

A third approach: using the nscd protocol used by glibc/nss. This
would allow musl-linked binaries running as guests on glibc-based
systems with nscd to perform user lookups through whatever service the
host system was using, without any further configuration. The glibc
nscd daemon would not be useful itself on musl-based systems, since it
depends on glibc/nss, but a drop-in clone for it could easily be
written and later fleshed-out with support for NIS, LDAP, and any
other potentially-interesting user database backends.

If folks think this third option is a good one, we'll need to dig up
(or reverse engineer..?) specs on how the nscd protocol works. It
might be a good idea to do this first before making a decision anyway,
since if the protocol is bad enough (bloat, robustness failures, etc.)
we might need to pick something else even if it does have other good
qualities..

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.