Subject: Re: Centralized User and Password Management
To: Pavel Cahyna <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 12/05/2004 17:32:54
[ On Monday, November 29, 2004 at 15:29:59 (+0100), Pavel Cahyna wrote: ]
> Subject: Re: Centralized User and Password Management
> Say there is a screen-locking program like xlock or xscreensaver,
> which requires a password to unlock the screen. Isn't pam_krb5 the right
> way in this situation to ensure that this password is consistent with the
> password used to login?
No, not at all.
PAM is just one possible answer to the problem of accessing the "shadow"
password (i.e. /etc/spwd.db on NetBSD) so that the user's system
password can be used by a non-privileged application such as xlock,
though I forget exactly how the PAM advocates claim it is supposed to be
secure. :-) (PAM does have other claimed benefits of course but none of
them are really relevant to your example.)
Cyrus SASL's "saslauthd -a getpwent" is another, better and far more
secure, way to do the same thing; and the BSD/OS authentication
architecture that's often been discussed in NetBSD cirles is yet an even
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <firstname.lastname@example.org>
Planix, Inc. <email@example.com> Secrets of the Weird <firstname.lastname@example.org>