From: idunham@lavabit.com
To: musl@lists.openwall.com
Subject: Re: Design for extensible passwd[/shadow?] db support
Date: Sun, 12 Aug 2012 20:26:24 -0400 (EDT) [thread overview]
Message-ID: <20538.50.0.229.11.1344817584.squirrel@lavabit.com> (raw)
> Presumably at some point, musl will be used in environments where it's
> not feasible to have the entire user database in a flat password file.
> Despite NIS being hideous, largish institutions use it for this
> reason; presumably LDAP is a much better option, and there may be
> other options still I'm not aware of.
Out of curiosity, is PAM excluded from consideration? Does it require a
dynamically-loaded library?
And will the pam-lite source ever show up somewhere? ;)
> What I'm looking for is a way to allow musl to access user data that's
> not provided with flat files in /etc, but without bloating musl or
> introducing dependencies on abominations like RPC.
>
> The idea I have is to add a single lookup method to musl, whereby it
> can query a local daemon of some sort for user information in a clean,
> simple protocol. Such a daemon can in turn translate to NIS, if
> desired, or to SQL db queries, or to whatever back-end the admin wants
> to use. I'm fairly settled on this general approach, but since I'm not
> at all familiar with the existing approaches, I'd like to seek some
> further input.
>
> The first main question is what protocol to use. One really simple
> choice would be a plain text protocol where the name/uid of requested
> user is sent over a socket (probably a datagram unix socket) and the
> response comes back in standard colon-delimited passwd format for the
> existing passwd code to parse. This seems very clean, but as far as I
> know it doesn't have any existing implementations.
I presume, for security reasons, that this would be the contents of
/etc/passwd as found on shadow-enabled systems...but how does the password
get authenticated?
Or are unix sockets immune to sniffing?
> Alternatively, we could make musl speak an existing query language
> (e.g. LDAP) directly, such that it could interface with any existing
> server out there that speaks the chosen protocol, or with a proxy that
> translates to other protocols like NIS.
If you do any sort of communication over sockets/networks/... with a
daemon, I'd suggest having musl communicate with a PAM-capable daemon.
PAM is meant for scenarios like this.
Isaac Dunham
next reply other threads:[~2012-08-13 0:26 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 0:26 idunham [this message]
2012-08-13 0:31 ` Rich Felker
2012-08-13 10:45 ` Daniel Cegiełka
2012-08-13 13:46 ` Rich Felker
-- strict thread matches above, loose matches on Subject: below --
2012-08-12 5:38 Rich Felker
2012-08-12 15:16 ` Jeremy Huntwork
2012-08-12 17:27 ` Rich Felker
2012-08-12 17:34 ` Rich Felker
2012-08-12 19:10 ` Arvid E. Picciani
2012-08-12 20:56 ` Rich Felker
2012-08-13 9:41 ` Arvid E. Picciani
2012-08-13 12:27 ` Luca Barbato
2012-08-13 12:46 ` Kurt H Maier
2012-08-13 13:50 ` Rich Felker
2012-08-13 19:22 ` Arvid E. Picciani
2012-08-13 19:28 ` Rich Felker
2012-08-13 19:38 ` Arvid E. Picciani
2012-08-13 19:50 ` Rich Felker
2012-08-13 20:14 ` Arvid E. Picciani
2012-08-13 21:03 ` Rich Felker
2012-08-13 22:10 ` Luca Barbato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20538.50.0.229.11.1344817584.squirrel@lavabit.com \
--to=idunham@lavabit.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).