getpwnam with md5 encrypted passwds

Clifton Royston cliftonr at tikitechnologies.com
Wed Nov 26 13:20:19 PST 2003 

On Wed, Nov 26, 2003 at 12:01:01PM -0800, freebsd-hackers-request at freebsd.org wrote:
> Date: Wed, 26 Nov 2003 16:05:30 +0200
> From: Peter Pentchev <roam at ringlet.net>
> Subject: Re: getpwnam with md5 encrypted passwds
> To: Kai Mosebach <kai at freshx.de>
> Cc: freebsd-hackers at freebsd.org
> Message-ID: <20031126140530.GB307 at straylight.m.ringlet.net>
> Content-Type: text/plain; charset="windows-1251"
> 
> On Wed, Nov 26, 2003 at 02:21:04PM +0100, Kai Mosebach wrote:
> > > -----Urspr?ngliche Nachricht-----
> > > Von: Terry Lambert [mailto:tlambert2 at mindspring.com]
> > > Gesendet: Mittwoch, 26. November 2003 13:34
> > > An: sapdb at komadev.de
> > > Cc: freebsd-hackers at freebsd.org
> > > Betreff: Re: getpwnam with md5 encrypted passwds
> > > 
> > > "sapdb at komadev.de" wrote:
> > > > i am trying to validate a given user password against my local passwd-
> > > file with
> > > > this piece of code :
...
> > > I know you have the fix for the crypt of the wrong field, but the
> > > proper thing to do is probably to use pan_authenticate() so that
> > > you are insensitive to the athentication method being used, rather
> > > than crypting and comparing it yourself.
> > 
> > Looks interesting ... is this method also usable, when i dropped my privs ?
> 
> I think Terry meant pam_authenticate() (not pan), but to answer your
> question: no, when you drop your privileges, you do not have access to
> at least the system's password database (/etc/spwd.db, generated from
> /etc/passwd and /etc/master.passwd by pwd_mkdb(8)).  If this will be any
> consolation, getpwnam() won't return a password field when you have
> dropped root privileges either.

  If you will need to do authentication after your program drops
privileges, your best course is probably to go through PAM, to install
a separate daemon which implements a PAM-supported protocol and which
runs with privileges, and then to enable that protocol as a PAM
authentication method for your application.
 
  For example, you can install a RADIUS server bound to localhost which
runs as root and authenticates against the master password file. 
Configure the necessary /etc files for pam_radius as described in its
man pages, and then add "pam_radius" as an authentication method in
/etc/pam.conf for your application.  Now you do need to make your
application go through the PITA required to be a PAM client, but it can
at least authenticate without needing root privileges itself.  I
implemented this pretty recently, so I know the approach works, even if
it may seem rather roundabout.  (LDAP would be another PAM-supported
option, but RADIUS seemed simpler to set up in a hurry.)

  -- Clifton

-- 
          Clifton Royston  --  cliftonr at tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss

More information about the freebsd-hackers mailing list