Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Nov 1997 10:07:24 -0800 (PST)
From:      Tom <tom@sdf.com>
To:        Eivind Eklund <perhaps@yes.no>
Cc:        hackers@freebsd.org
Subject:   Re: Password verification (Was: cvs commit: ports/x11/kdebase - Imported sources)
Message-ID:  <Pine.BSF.3.95q.971103100454.20666A-100000@misery.sdf.com>
In-Reply-To: <199711031005.LAA21994@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Mon, 3 Nov 1997, Eivind Eklund wrote:

> > > But, how to allow users check only their own password, and still
> > > have the added security of shadow passwords ?  I can only think
> > > in a kind of password checking daemon that would accept commands
> > > on a AF_UNIX socket and some patches to libc pw commands.
> > 
> >   You can always use the pwcheck daemon from the Cyrus module (see ports).
> > It opens a unix socket at /var/pwcheck/pwcheck.  Permissions on the
> > /var/pwcheck directory can be used to determine who can check passwords.
> 
> Is it restricted to only let a user check his own password?  Or could
> we make it only check a users own password fairly easily?

  How would that be useful?

> The simplest solution I can see is to create a /usr/bin/checkpw which
> takes in a username/password on stdin, and checks that the username
> has the same ID as the users real ID, and exits with OK/failure.  (And
> I don't care about the expense of exec'ing a program to check a password
> - checking passwords are supposed to be expensive.)

  I don't find this very useful.  For example, lets say you want a web
server to be able to verify passwords, but the web server is running as a
"www" user, so it can't anything but its own password?  The pwcheck daemon
is a little more useful.  It allows me to have fairly unprivledged servers
check passwords.

> How is the feeling about this kind of program - too much bloat?
> Security problem?  Personally, I want it - less security problem than
> making other programs setuid.
> 
> Eivind.

Tom

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.971103100454.20666A-100000>