[Pubcookie-dev] users plugin area
leg+ at andrew.cmu.edu
Fri Jan 10 11:17:37 PST 2003
Date: Fri, 10 Jan 2003 10:08:07 -0600
From: Gary Mills <mills at cc.UManitoba.CA>
The requirement for root access depends on the particular PAM module.
Some, for example those that access the shadow password file or NIS
map, do require root. Others, such as those that use LDAP or SQL,
do not require root. In my case, I have a PAM module that does RPC
calls to a server running as root to check passwords. The PAM verifier
does not have to know about the mechanism behind the PAM modules.
Experience has showed while this is true, supporting PAM is a
nightmare because most people don't know whether their PAM module
requires root privs or not, and an alternate framework is required for
PAM modules that do need them.
Might as well just have the alternate framework.
> His alternative suggestion has been to use the saslauthd
> stuff from the cyrus-sasl package. I guess this would be a separate
> process running as root that could do PAM verification or several other
> verification types; and weblogin processes would make calls to it. I
> guess the effort of integrating it would be to write a verify_saslauthd
> that made these calls.
That's an interesting alternative. However, it would require a complete
SASL installation on the login server. SASL is a complex facility that
I'd prefer to install only on a mail server.
It would only require saslauthd, which is a subdirectory of the Cyrus
SASL distribution and could easily be distributed with Pubcookie.
saslauthd is relatively simple.
I was assuming that Maurizio was refering to a plugin mechanism that
did not require recompiling - something with dynamically loadable
modules. I didn't have anything specific in mind.
Since the login CGI is exec'd for each use, dynamic loading would be
More information about the pubcookie-dev