Re: Authenticating encrypted passwords

From: Henrik Nordstrom <[email protected]>
Date: Thu, 09 Mar 2000 20:25:00 +0100

getpwnam_auth is supposed to work, but it probably requires to be
installed setuserid-root to be able to access /etc/shadow, and even then
it might not be able to access it.

if getpwnam_auth does not work with shadow passwords on your system,
then you could try the pam_auth module. It requires a little more
configuration to get going, but it works with all password sources you
can use for the normal UNIX login. This however is only possible on a OS
using PAM for authentication. (Linux, Solaris, HP-UX, and lots of other
OS:es)

The best way to try if the authenticator works is to call it from the
command line.

1. As root, try to run the authenticator and type
login password

You should get back either OK or ERR depenting on if the password is
correct.

2. If the above works, then try it as a non-root user. If you are using
shadow passwords this will most likely fail to authenticate any other
user than the user the authenticator runs as.

3. If #2 fails, then retry it with the authenticator setuserid root.
This should work at least for pam_auth.

Disclaimer: I do not guarantee that getpwnam_auth or pam_auth can be
securely installed suid-root if your proxy-server is a multiuser system
where non-privilegied users have access run programs.

/Henrik

Erico Barretta Penna wrote:
>
> Hi,
> Wich authenticator works with /etc/passwd or /etc/shadow? My squid is
> 2.2.Stable5.
> I've tried so far: ncsa_auth and getpwnam_auth. They call the
> username/password screen but when I enter the username/password it refuses I
> think because it is encrypted.
> I've read a lot of faq information, newgroups, etc and I don't find an
> answer.
> Can you help me out?
>
> Thank you for your attention,
> Erico
Received on Fri Mar 10 2000 - 05:42:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:52:02 MST