tor 2006-04-27 klockan 17:44 -0300 skrev Giancarlo Razzolini:
> I recently wrote a plugin for the OpenVPN program that authenticate
> users either using the getpwnam or the getspnam functions.
> A parameter in it's makefile must be set to enable/disable SHADOW
> authentication, because i didn't wanted to use autoconf. I took a look
> in the code from the getpwnam helper and i think it shouldn't take more
> than a day to make it authenticate using either getpwnam or getspnam
> functions. And i really want to contribute with this proxy that helped
> me many times. I want to hear any comments from you guys.
Sounds like a excellent idea.
To be correct the helper has to support both concurrently. The same
system may have both shadow and non-shadow users. So how you are
supposed to use these is that you first try with getspnam(), if that
fails fall back on getpwnam().
Not all systems have getspnam() so a new configure test may be needed.
Also there is noticeable security implications as the helper has to be
installed set-user-id root (or set-group-id shadow on systems using a
shadow group) in order to be able to use getspnam(). Because of this
it's perhaps better to make a new getspnam helper based on the getpwnam
helper code.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:04 MDT