On Fri, Dec 01, 2006 at 03:47:36PM +0100, Matthias Drochner wrote:
> It is increasingly annoying that non-root applications cannot
> use PAM to authenticate against a local master.passwd file.

[snip]

Why not fix *exactly* this program by a suid program which allows the
verification of the password + possible logging of failures? The NSS
approach sounds nice in theory, but has the negative side-effect that
any exploit in a normal user program can be used to get the hash for
offline attacks.  The resulting PAM module should be portable as well,
which is an even bigger advantage (it doesn't need NSS!).

Joerg