Stephen Gran wrote: > This one time, at band camp, Bram Senders said: > > I guess this would be a problem if the postgres database is not local; > > i.e. if you want several machines to authenticate against the same > > database. The only way I currently see of "fixing" this is to use one > > user with "trust" access for read-only access to the group_table, > > passwd_table and usergroups tables (and use this user in > > /etc/nss-pgsql.conf), and one user with "md5" access (or some other > > authenticated access method) for access to the shadow_table table (and > > use this user in /etc/nss-pgsql-root.conf). > > Hi, > > Sure, this is possible - they're just connection parameters to a > database call, after all. Basically, you want to create a seperate > /etc/nss-pgsql-root.conf with different connection parameters than the > regular /etc/nss-pgsql.conf. In postgres itself, the non-privileged > user should have read only access to your passwd, group and passwd-group > map tables. The 'root' user (whatever name you choose to give it) > should have read only access to the shadow table. These are standard > GRANT options in postgres speak. > > In pg_hba.conf, the non-privileged user is granted access with trust, > the privileged user is granted access with md5 or whatever other password > mechanism you like. On the local filesystem, you protect the shadow > credentials in /etc/nss-pgsql-root.conf by making the file mode 0600 > root:root. The non-privileged file of course has to be world read only, > so 0444 as a minimum.
Okay, thanks! I will look into this. Denis Feklushkin wrote: > If you want to make a system of multiple machines does not recommend > the use of NSS and network access to NSS for *authentication* at all (it > does not matter libnss-pgsql2 or another module) > > Otherwise, in this case the attacker by breaking one of the machines to > obtain root permission will be able to immediately take all logins and > passwords hashes from your NSS DB. > > NSS can be used for authorization but not for authentication. Use PAM > instread it. Hmm, that doesn't sound too good. But yes, I can understand how that would be the case. In that case, I will see whether there is some PAM module that better suits my needs. Thank you for your assistance, both of you! Bram Bram -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
