[opensuse] pam auth and own password file.
Hi there, is there possible to set up PAM to search for users and passwords in another file, for example "/etc/external_accounts" ? With 3DES password's hash... Thanks and best regards J.Karliak -- Bc. Josef Karliak Správa sítě a elektronické pošty Fakultní nemocnice Hradec Králové Odbor výpočetních systémů Sokolská 581, 500 05 Hradec Králové Tel.: +420 495 833 931, Mob.: +420 724 235 654 e-mail: josef.karliak@fnhk.cz, http://www.fnhk.cz
06.01.2017 12:23, josef Karliak пишет:
Hi there,
is there possible to set up PAM to search for users and passwords in another file, for example "/etc/external_accounts" ? With 3DES password's hash...
There are several alternative PAM modules but all are using crypt() at the end and crypt() does not implement 3DES. So your option is probably to write own PAM or NSS module that supports alternative password file and encryption algorithm. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ohh, damn me - it is not 3DES, but only DES. So that should be OK for PAM ? Thanks and best regards J.K. Dne 6.1.2017 v 13:44 Andrei Borzenkov napsal(a):
06.01.2017 12:23, josef Karliak пишет:
Hi there,
is there possible to set up PAM to search for users and passwords in another file, for example "/etc/external_accounts" ? With 3DES password's hash...
There are several alternative PAM modules but all are using crypt() at the end and crypt() does not implement 3DES. So your option is probably to write own PAM or NSS module that supports alternative password file and encryption algorithm.
-- Bc. Josef Karliak Správa sítě a elektronické pošty Fakultní nemocnice Hradec Králové Odbor výpočetních systémů Sokolská 581, 500 05 Hradec Králové Tel.: +420 495 833 931, Mob.: +420 724 235 654 e-mail: josef.karliak@fnhk.cz, http://www.fnhk.cz
josef Karliak wrote:
is there possible to set up PAM to search for users and passwords in another file, for example "/etc/external_accounts" ? With 3DES password's hash...
I recently had this problem too some time ago. I saw "pam_userdb", but the available crypt options (crypt, none) did not fulfilled my needs. So I worked around the problem with a special PAM configure. Instead of having two user/password lists, I allow/forbid the authentication for the services separately. This is the configuration for the service XYZ with it's own user list (all users of group "xyz-users"): /etc/pam.d/xyz # PAM configuration file for XYZ # requires that the user's uid is greater than or equal to 1000. auth requisite pam_succeed_if.so uid >= 1000 quiet #requires that the user belongs to the xyz-users group. auth requisite pam_succeed_if.so user ingroup xyz-users quiet #@include common-auth @include common-account @include common-password @include common-session And this is the common configuration file for all other services: /etc/pam.d/common-auth: auth required pam_succeed_if.so user notingroup xyz-users quiet auth sufficient pam_unix2.so auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so All XYZ service users must be a member of group "xyz-users" and must have a UID >= 1000. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Andrei Borzenkov -
Bjoern Voigt -
josef Karliak