Disillusioned with PAM

Clifton Royston cliftonr at tikitechnologies.com
Fri Dec 12 12:43:05 PST 2003 

On Fri, Dec 12, 2003 at 12:00:46PM -0800, freebsd-hackers-request at freebsd.org wrote:
> Date: Fri, 12 Dec 2003 17:31:36 +1030
> From: "Daniel O'Connor" <doconnor at gsoft.com.au>
> Subject: Re: Disillusioned with PAM
> On Thursday 11 December 2003 20:35, staf wagemakers wrote:
> > >   /usr/bin/passwd will be a real pain to use for a Web GUI as it
> > > requires a pty, which means extensive "coding around it" to fake one up
> > > for it a la poppassd.  I thought PAM was going to solve this for me,
> > > because of the "password management" function designed in... only it
> > > appears so far that no PAM method which implements local password
> > > changing actually exists on FreeBSD.  What a mess.
> >
> > CGIpaf supports FreeBSD without pam basically it runs "pwd_mkdb" to
> > update the password. If you need c functions to update a password the
> > source might be useful to you.  http://staf.patat.org/cgipaf/
> 
> The 'pw' command can change passwords (among many other things) and it does 
> not need a pty, eg..
> echo newpassword | pw usermod foobar -h 0 

  Thanks for taking the time for the note.  One of my co-workers
suggested pw to me the previous evening, and I discovered the -h option
in the man page.  I had my CGI working to do password changes before
the end of the evening, so I can confirm that this solution works fine!
 
> In a CGI you would open a pipe to pw and feed it the password.
 
  It's just a hair trickier, because you presumably don't want your CGI
to run as root, nor to have pw be suid - but a tiny suid wrapper in
Perl with thorough parameter and taint checking took care of that. 
Just recording the solution for the archives.

  -- Clifton

-- 
          Clifton Royston  --  cliftonr at tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss

More information about the freebsd-hackers mailing list