[rsbac] Exclusive UM w/o PAM - Answer?
Amon Ott
ao at rsbac.org
Fri Sep 7 09:00:09 CEST 2007
On Friday 07 September 2007 06:51, Thomas Costigliola wrote:
> Ok, I just realized the answer to the question below is to change
> nsswitch.conf to use the rsbac modules.
NSS lib (nsswitch.conf) only provides user and group lists and the
match between user and group names and numbers. For authentication
and session setup you still need another mechanism.
> Hello, is it possible to use the UM module and remove the
> passwd/shadow stuff AND not use PAM? To me it does not seem
> possible b/c then certain programs have no way of authenticating
> users. If that is the case then exclusive UM can only be used if
> PAM is present and only with programs that understand PAM. Am I
> missing something?
You can replace login with rsbac_login. SSH has its own RSA/DSA key
mechanism. rsbac_auth can be used as auth helper for squid. For
everything else you will have to write your own helper, which can
either use rsbac_auth or call the RSBAC system call
rsbac_um_auth_name(user, passwd) through librsbac.
About rsbac_auth: It expects lines with
username password
in cleartext on stdin and prints either ERR or OK on stdout. The delay
of 1s on failure is hardcoded in the system call as protection
against brute force attacks.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list