[Catalyst] Auth::PAM??
Michael Higgins
linux at evolone.org
Tue Nov 18 17:37:35 GMT 2008
On Mon, 17 Nov 2008 13:40:12 +1100
f00li5h <f00li5h at pin21.com> wrote:
> On Sat, 15 Nov 2008 07:24:54 +1100, Michael Higgins
> <linux at evolone.org> wrote:
>
> > Nov 14 12:01:54 lappy perl: pam_unix(system-auth:auth): check pass;
> > user unknown Nov 14 12:01:54 lappy perl:
> > pam_unix(system-auth:auth): authentication failure;
> > logname=mykhyggz uid=0 euid=0 tty= ruser= rhost=
>
> pam_unix needs to be run by a user that can read /etc/shadow... IE
> root.
>
> I discovered this little joy recently ... since PAM on my Mac box was
> happy to auth users (since apple use some funky directory thing)
>
> in the end I changed my auth to use Authen::Simple::SSH
>
Thanks for your input. I also queried the user group for my distro and directly a developer who had filed several bug reports over this issue.
There is no sanctioned fix.
Every post that I've read regarding this issue ends with necessarily changing perms on /etc/shadow, with the caveat that yep, you are compromising security. But just a little bit...
. . .
No one has offered a scenario where somehow a Catalyst app would server up /etc/shadow. I appeal to the group: is this even theoretically possible?
. . .
As for Authen::Simple::SSH, this didn't work for me at all. Irrespective of the passwords I sent it, it authenticated my user with my user's private key, or failed to authenticate at all. :( So I call it broken, but there may be something I don't know.
In the end, we don't allow password SSH login on the production server anyway.
What we _do_ allow is SASL auth, as for SMTP service. So... there is an Authen::SASL, but no Catalyst hook? I'll try to get this working with Catalyst Auth stuff today, but I don't have great hopes of success.
Basically, here from the developer I queried: "no part of PAM has elevated privs so some kind of wrapper is required". The SASL auth is against PAM already, so in effect serves as that "required" wrapper, I guess.
Cheers,
--
|\ /| | | ~ ~
| \/ | |---| `|` ?
| |ichael | |iggins \^ /
michael.higgins[at]evolone[dot]org
More information about the Catalyst
mailing list