Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 12 Aug 2012 20:31:10 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Design for extensible passwd[/shadow?] db support

On Sun, Aug 12, 2012 at 08:26:24PM -0400, idunham@...abit.com wrote:
> > Presumably at some point, musl will be used in environments where it's
> > not feasible to have the entire user database in a flat password file.
> > Despite NIS being hideous, largish institutions use it for this
> > reason; presumably LDAP is a much better option, and there may be
> > other options still I'm not aware of.
> 
> Out of curiosity, is PAM excluded from consideration? Does it require a
> dynamically-loaded library?

PAM is not an implementation of the user database. It's for
authenticating logins. Completely different problem domain.

> > The first main question is what protocol to use. One really simple
> > choice would be a plain text protocol where the name/uid of requested
> > user is sent over a socket (probably a datagram unix socket) and the
> > response comes back in standard colon-delimited passwd format for the
> > existing passwd code to parse. This seems very clean, but as far as I
> > know it doesn't have any existing implementations.
> 
> I presume, for security reasons, that this would be the contents of
> /etc/passwd as found on shadow-enabled systems...but how does the password
> get authenticated?
> Or are unix sockets immune to sniffing?

Yes, they're immune to sniffing. The decision to use shadow or not is
independent of the decision on how to acess the user database.

> > Alternatively, we could make musl speak an existing query language
> > (e.g. LDAP) directly, such that it could interface with any existing
> > server out there that speaks the chosen protocol, or with a proxy that
> > translates to other protocols like NIS.
> 
> If you do any sort of communication over sockets/networks/... with a
> daemon, I'd suggest having musl communicate with a PAM-capable daemon.
> PAM is meant for scenarios like this.

No, PAM is made for logging in. Not telling which user has which uid
and what their realnames, home directories, or preferred shells are..

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.