Date: Thu, 17 Mar 2005 22:16:06 +0000 From: Jake Scott <jake@poptart.org> To: freebsd-isp@freebsd.org Subject: Multiple passwords for ftp/ssh Message-ID: <423A01A6.9040601@poptart.org>
next in thread | raw e-mail | index | archive | help
Hi. I've just configured a new 5.3-Stable system to use nss_ldap and pam_ldap. It's all working very well. However, I'd like users to have two passwords - one for logging into services over encrypted links and one for unencrypted links - eg. one for ssh/imaps and another for http/imap/ftp. I've created a new LDAP object class that provides a new attribute (insecurePassword). nss_ldap is configured with a rootbinddn, and "nss_map_attribute userPassword insecurePassword". Now, getent() as root returns the insecurePassowrd for users. So - I've got sshd's PAM config using pam_ldap and pam_unix, and ftp's PAM config just using pam_unix. This means that when a user logs in via FTP, they must use the password stored in the insecurePassword attribute. When logging in via SSH, they can use the password in the userPassword attribute (authenticated via an LDAP bind operation in pam_ldap). The problem is that a user can also use their insecure password via ssh because I need pam_unix in the PAM chain so that users in the local password file can also log in. Whan I'd like, is for a user in the LDAP directory to only be able to log in using their secure (userPassword) password. It would be good if I could make the PAM chain stop if the presented password doesn't match the userPassword attribute - but to continue if that's because the user isn't in the directory. Does anyone know if there's a way I can do this - or is there a better way to achieve this? Many thanks in advance Jake
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?423A01A6.9040601>