From owner-freebsd-isp@FreeBSD.ORG Thu Mar 17 22:16:08 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D1C416A4CE for ; Thu, 17 Mar 2005 22:16:08 +0000 (GMT) Received: from plum.flirble.org (plum.flirble.org [195.40.6.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3026F43D2F for ; Thu, 17 Mar 2005 22:16:08 +0000 (GMT) (envelope-from jake@poptart.org) Received: from fruity.poptart.org ([82.152.7.145] helo=poptart.org) by plum.flirble.org with esmtpa (Exim 4.43) id 1DC3Hi-000HL6-Nf for freebsd-isp@freebsd.org; Thu, 17 Mar 2005 22:16:07 +0000 Received: from choccy.int.poptart.org ([10.0.0.1]) by poptart.org with esmtp (Exim 4.14) id 1DC3Hi-000OCU-CC for freebsd-isp@freebsd.org; Thu, 17 Mar 2005 22:16:06 +0000 Message-ID: <423A01A6.9040601@poptart.org> Date: Thu, 17 Mar 2005 22:16:06 +0000 From: Jake Scott User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Multiple passwords for ftp/ssh X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 22:16:08 -0000 Hi. I've just configured a new 5.3-Stable system to use nss_ldap and pam_ldap. It's all working very well. However, I'd like users to have two passwords - one for logging into services over encrypted links and one for unencrypted links - eg. one for ssh/imaps and another for http/imap/ftp. I've created a new LDAP object class that provides a new attribute (insecurePassword). nss_ldap is configured with a rootbinddn, and "nss_map_attribute userPassword insecurePassword". Now, getent() as root returns the insecurePassowrd for users. So - I've got sshd's PAM config using pam_ldap and pam_unix, and ftp's PAM config just using pam_unix. This means that when a user logs in via FTP, they must use the password stored in the insecurePassword attribute. When logging in via SSH, they can use the password in the userPassword attribute (authenticated via an LDAP bind operation in pam_ldap). The problem is that a user can also use their insecure password via ssh because I need pam_unix in the PAM chain so that users in the local password file can also log in. Whan I'd like, is for a user in the LDAP directory to only be able to log in using their secure (userPassword) password. It would be good if I could make the PAM chain stop if the presented password doesn't match the userPassword attribute - but to continue if that's because the user isn't in the directory. Does anyone know if there's a way I can do this - or is there a better way to achieve this? Many thanks in advance Jake