On 9 Sep 2002, Gordon Messmer wrote:
> > Extracting a readible subset of /etc/shadow is quite do-able
> > by a cron process
>
> ...which basically negates the benefits of the shadow password file.
> LDAP, Kerberos, or (as you note) RADIUS are better options.
I did not say it was the best approach -- but a set of
no-shell tracker accounts (here prefixed with "adm-") with a
separate password suerid and password series may exist in the
regular passwd series, and be maintained with the regular
suite of account tools
grep ^adm- /etc/passwd > /home/adminuser/etc/passwd
grep ^adm- /etc/shadow > /home/adminuser/etc/shadow
so that the authentication may occur as indicated. It is much
more 'lightweight' than LDAP or Radius
> > (similar to the redacted /var/ftp/etc/passwd
> > et al., which anon ftp uses in a chrooted daemon setup), and
> > then one authenticates potential users there ...
>
> Whose ftp server does that? I've never seen it.
>From the Red Hat anon-ftp .spec file:
cat > $RPM_BUILD_ROOT%{ROOT}/etc/passwd <<EOF
root:*:0:0:::
bin:*:1:1:::
operator:*:11:0:::
ftp:*:14:50:::
nobody:*:99:99:::
EOF
> > There is working sample code in my 'PHP and the command line'
> > presentation at:
> > http://www.colug.net/notes/0208mtg/?c=authindex.php
>
> Nitpick:
> <head>
> <link REL="SHORTCUT ICON" HREF="/favicon.ico">
> <title>The Central Ohio Linux User Group<br>
> <b>Warning</b>: Failed opening 'IPgreet.php' for inclusion
> (include_path='.:/usr/share/php') in
> You should fix that.
Last person who critiqued the LUG html caused this warning to
be inserted on the top page:
<!-- 020309 - - the NEW secret message is: The _next time_ JEP
offers helpful comments on web standard compliance,
we announce his acceptance of the post of webmaster
-->
... thanks -- I have made an amendment accordingly ... AND
added new comments in the top page at
http://www.colug.net/index.php
have new content starting: 020909 - - the NEW NEW secret
message is: The _next time_ ... <smile>
> > > One could always switch to LDAP or Kerberos for authentication on the
> > > system, and access those from PHP (but not necessarily with PAM?).
> >
> > ummmm --- native radius support exists in PHP, albeit the last
> > time I used it, marked experimental
>
> Is it enabled in Red Hat's build? I don't see it documented here:
> http://www.php.net/manual/en/
Dunno, don't find it directly in the current PHP online
manual. As I recall it was there experimentally and natively
in PHP six months ago, but I may be misremembering -- my notes
on this are 150 miles away ...
BUT, radius authentication capability is still there for folks
who can dink with code ... The php socket code is really
powerful and nice, and IS enabled by default in recent Red Hat
releases:
http://www.mavetju.org/programming/php.php
first entry has one approach. It is a bit awkward for it has
a persistence layer and database backend which make the
example less clear, but with judicious trimming, it works
fine with keying and some other changes.
-- Russ Herrold
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
