Multiple passwords for ftp/ssh
Jake Scott
jake at poptart.org
Thu Mar 17 14:16:08 PST 2005
Hi.
I've just configured a new 5.3-Stable system to use nss_ldap and
pam_ldap. It's all working very well. However, I'd like users to have
two passwords - one for logging into services over encrypted links and
one for unencrypted links - eg. one for ssh/imaps and another for
http/imap/ftp.
I've created a new LDAP object class that provides a new attribute
(insecurePassword). nss_ldap is configured with a rootbinddn, and
"nss_map_attribute userPassword insecurePassword". Now, getent() as
root returns the insecurePassowrd for users.
So - I've got sshd's PAM config using pam_ldap and pam_unix, and ftp's
PAM config just using pam_unix. This means that when a user logs in via
FTP, they must use the password stored in the insecurePassword
attribute. When logging in via SSH, they can use the password in the
userPassword attribute (authenticated via an LDAP bind operation in
pam_ldap).
The problem is that a user can also use their insecure password via ssh
because I need pam_unix in the PAM chain so that users in the local
password file can also log in. Whan I'd like, is for a user in the LDAP
directory to only be able to log in using their secure (userPassword)
password. It would be good if I could make the PAM chain stop if the
presented password doesn't match the userPassword attribute - but to
continue if that's because the user isn't in the directory.
Does anyone know if there's a way I can do this - or is there a better
way to achieve this?
Many thanks in advance
Jake
More information about the freebsd-isp
mailing list