[Catalyst] Auth::PAM??

Michael Higgins linux at evolone.org
Tue Nov 18 17:37:35 GMT 2008

On Mon, 17 Nov 2008 13:40:12 +1100
f00li5h <f00li5h at pin21.com> wrote:

> On Sat, 15 Nov 2008 07:24:54 +1100, Michael Higgins
> <linux at evolone.org> wrote:
> > Nov 14 12:01:54 lappy perl: pam_unix(system-auth:auth): check pass;
> > user unknown Nov 14 12:01:54 lappy perl:
> > pam_unix(system-auth:auth): authentication failure;
> > logname=mykhyggz uid=0 euid=0 tty= ruser= rhost=
> pam_unix needs to be run by a user that can read /etc/shadow... IE
> root.
> I discovered this little joy recently ... since PAM on my Mac box was
> happy to auth users (since apple use some funky directory thing)
> in the end I changed my auth to use Authen::Simple::SSH 

Thanks for your input. I also queried the user group for my distro and directly a developer who had filed several bug reports over this issue. 

There is no sanctioned fix.

Every post that I've read regarding this issue ends with necessarily changing perms on /etc/shadow, with the caveat that yep, you are compromising security. But just a little bit...

. . .

No one has offered a scenario where somehow a Catalyst app would server up /etc/shadow. I appeal to the group: is this even theoretically possible?

. . .

As for Authen::Simple::SSH, this didn't work for me at all. Irrespective of the passwords I sent it, it authenticated my user with my user's private key, or failed to authenticate at all. :(  So I call it broken, but there may be something I don't know. 

In the end, we don't allow password SSH login on the production server anyway.

What we _do_ allow is SASL auth, as for SMTP service. So... there is an Authen::SASL, but no Catalyst hook? I'll try to get this working with Catalyst Auth stuff today, but I don't have great hopes of success.

Basically, here from the developer I queried: "no part of PAM has elevated privs so some kind of wrapper is required". The SASL auth is against PAM already, so in effect serves as that "required" wrapper, I guess.


 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /

More information about the Catalyst mailing list