Subject: Re: Login classes
To: Andrew Brown <atatat@atatdot.net>
From: Peter Seebach <seebs@plethora.net>
List: tech-misc
Date: 06/14/2000 14:26:31
In message <20000614152157.A8386@noc.untraceable.net>, Andrew Brown writes:
>>BSD Authentication is the BSD/OS authentication system. Basically, it's
>>a login.conf extension that lets you specify authentication methods per
>>login class. You then have programs with names like
>>"/usr/libexec/login_passwd" which handle authentication. "login_passwd"
>>is the "traditional" Unix password scheme. There's also "login_krb_or_pwd",
>>which tries to do either Kerberos or regular passwords. So, on my NetBSD
>>box, if I have Kerberos running, I do
>>...
>does this mean that i have to have separate login programs for each
>combination of authentication methods i have available to me?
No. You can also do
auth=passwd,kerberos,...
if you want.
>(have i asked this before? this seems so familiar...)
I don't recall seeing it. Anyway, BSD/OS ships with
login_activ login_kerberos login_radius login_skey
login_auth login_krb-or-pwd login_rchpass login_snk
login_chpass login_lchpass login_reject login_token
login_crypto login_passwd login_rpasswd
by default. "rpasswd" is a thing that supports a "remote password" database;
it's used by default for radius, so you can have a radius program use "Unix"
authentication, and use a real hashed database (rather than a big flat file),
with encrypted passwords, and still not have to give radius users accounts.
login_reject is obvious, I think.
It would probably be possible to write login_pam, but no one seems to be
very interested.
I'd be glad to answer technical questions about this within the boundaries
of my knowledge, and as I understand it, there's some support for me asking
the engineer questions about it if it'll help further the cause of having a
decent authentication system in more BSD Unix[*]. :)
-s
[*] UNIX(tm) is a trademark of whoever owns it. Unix is what Thompson and
Ritchie invented.