Subject: Re: PROPOSAL: making passwd pluggable (sort of)
To: Aidan Cully <aidan@kublai.com>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 01/30/2000 12:58:01
In message <20000130134107.A8499@ozymandias.kublai.com>, Aidan Cully writes:
>Because I don't want to open this can of worms? I've got no objection
>to going PAM wholesale, personally, but I seem to remember a massive
>flamefest last time this came up, and I don't want to be the person to
>make that decision.
Heh. It does tend to a flamefest.
The big reason: PAM does not allow a sysadmin to let a non-setuid program
validate logins or similar things that would require setuid privs to check.
I've been using BSD Authentication (the stuff that BSDI donated to the general
public as a usable auth scheme to use with login.conf), and I *love* it. Want
a login method that lets people log in only during business hours?
#!/bin/sh
case `date +%H` in
09|10|11|12|13|14|15|16)
exec login_passwd $*
;;
*)
echo >&3 "reject"
exit 1
;;
esac
I may have botched this, since I'm pretty much doing it from memory, but
that's a pretty simple, user-friendly interface. Okay, you need to read
the docs to know that you write reject to &3.
-s