[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-root password lookups?

On 18 Jan 1999, Martin Bialasinski wrote:

> I heared on Solaris you have a daemon, which takes username/password
> and tells you if the combination is OK.

rpc.pwdauthd.  Nice idea, but Linux doesn't have (as far as I am aware) any
kind of a credentials mechanism so you know you're talking to a _real_
rpc.pwdauthd and not some fake daemon some s|<r1pt kiddie is running.  (I'm
vague on the exact mechanism involved, but I seem to recall reading about
it on either BUGTRAQ or linux-kernel recently.)

This is one of the reasons I've never bothered with shadow passwords on
Linux - everything must either be suid root or sgid shadow, and that's a
lot of power to give to $some_random_program.  I just make sure I use
'unguessable' passwords, and I don't have lusers on my boxes.


Reply to: