[albatross-users] tamper-resistant authentication code
Andrew McNamara
andrewm at object-craft.com.au
Mon Sep 15 13:53:51 EST 2003
>> It turns out that pwd.getpwnam won't work for beans on a Linux system
>> with shadow passwords.
>
>I had a similar problem a few years ago when trying to authenticate Zope
>users against the Linux password database. In the end I created a
>horrific hack and wrote a suid root script to do the password check ;-).
I had to do a similar thing with one of our Albatross projects - a setuid
root C helper that the cgi spoke to to authenticate users. In the past,
I've also had to do similar things for password changing. I wouldn't
recommend coding the helper in a scripting language - there are too
many gotchyas.
I probably should review the code for missed security vulernabilities
and post it somewhere. It's always made me nervous, since anything like
this weakens system security slightly.
>Is there a Python PAM module that you could use? Would it be any better
>than SASL?
PAM is patchy - the linux pam model that auths against the shadow password
file uses a setuid root helper, but it is rightly paranoid, and refuses
to auth anyone but the user or root (not so useful). Most PAM don't
even go this far - if you aren't euid 0, you can't auth against shadow.
Dunno what the BSD are doing.
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list