[squid-users] Re: PAM-Help!

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 1 Sep 2002 01:27:13 +0200

Shadow passwords require any programs needing access to the password
database to run as root. This is consistent thruout the whole system
and is by design of the security concept of UNIX. Only root have
access to the securely stored password hashes.

My recommendation to you is to NOT use the UNIX/Linux password
database for proxy passwords. Instead use a separate NCSA style
password database for the proxy.

Other options for you is to write another authentication helper. If
you need your users to use their Linux password then I presume this
is because you are also providing some other services on the same
server using the same password database? If so then writing a
authentication helper that calls this other service for the
authentication should not be too hard.. usually not more than a
handful lines of Perl code. This would then not need to run as root
as it isn't accessing the password database.

Regards
Henrik

On Saturday 31 August 2002 16.30, S.Gopinath wrote:
> Dear Sir,
>
> I use Squid Ver 2.4 stable7 release and compiled and installed.
> I wanna use PAM Authentication Module for authenticating the proxy
> user against regular Linux password database. I complied pam_auth
> modules in the auth_modules directory and installed and configured
> correctly. Initially it was not working. Then is SUID the pam_auth
> program and they started working. My squid is configured to work as
> use "squid". My question is , Is it not possible to make pam_auth
> to work without SUID ?.
> Please mail me back Sir.
> Thanks,
> S.Gopinath
Received on Sat Aug 31 2002 - 17:57:47 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:54 MST