[rsbac] Exclusive UM w/o PAM - Answer?

Amon Ott ao at rsbac.org
Fri Sep 7 09:00:09 CEST 2007

On Friday 07 September 2007 06:51, Thomas Costigliola wrote:
> Ok, I just realized the answer to the question below is to change
> nsswitch.conf to use the rsbac modules.

NSS lib (nsswitch.conf) only provides user and group lists and the 
match between user and group names and numbers. For authentication 
and session setup you still need another mechanism.

> Hello, is it possible to use the UM module and remove the
> passwd/shadow stuff AND not use PAM? To me it does not seem
> possible b/c then certain programs have no way of authenticating
> users.  If that is the case then exclusive UM can only be used if
> PAM is present and only with programs that understand PAM. Am I
> missing something?

You can replace login with rsbac_login. SSH has its own RSA/DSA key 
mechanism. rsbac_auth can be used as auth helper for squid. For 
everything else you will have to write your own helper, which can 
either use rsbac_auth or call the RSBAC system call 
rsbac_um_auth_name(user, passwd) through librsbac.

About rsbac_auth: It expects lines with
username password
in cleartext on stdin and prints either ERR or OK on stdout. The delay 
of 1s on failure is hardcoded in the system call as protection 
against brute force attacks.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list