authentication service for unix

Discussion in 'Python' started by Diez B. Roggisch, Aug 25, 2004.

  1. Hi,

    this is not so much a python question, but as my app is developed in python,
    I'll ask anway.

    I'm looking for a method to authenticate users for a corba application
    server, running under linux. I want to be able to authenticate users that
    are valid unix users. Having role/group information would be nice later on.

    Currently I use PAM, but thats not so good as I have to run the process as
    root - but for obvious reasons I don't especially like that idea.

    Any ideas? May ladp of any use here? Saslauthd seems to look good, but so
    far I haven't found a binding.

    --
    Regards,

    Diez B. Roggisch
    Diez B. Roggisch, Aug 25, 2004
    #1
    1. Advertising

  2. Diez B. Roggisch

    Paul Rubin Guest

    "Diez B. Roggisch" <> writes:
    > I'm looking for a method to authenticate users for a corba application
    > server, running under linux. I want to be able to authenticate users that
    > are valid unix users. Having role/group information would be nice later on.


    AF_UNIX sockets under Linux provide an "ancillary message" operation
    that lets you check the user id of the process at the other end of a
    socket. Unfortunately, Python's socket module doesn't support that
    operation. I have a Sourceforge bug in about it and may someday get
    around to writing a patch, but of course you're welcome to do it first ;).
    Paul Rubin, Aug 25, 2004
    #2
    1. Advertising

  3. Diez B. Roggisch wrote:

    > Hi,
    >
    > this is not so much a python question, but as my app is developed
    > in python, I'll ask anway.
    >
    > I'm looking for a method to authenticate users for a corba
    > application server, running under linux. I want to be able to
    > authenticate users that are valid unix users. Having role/group
    > information would be nice later on.
    >
    > Currently I use PAM, but thats not so good as I have to run the
    > process as root - but for obvious reasons I don't especially like
    > that idea.


    Using PAM is definitively not the reason why your process must be run
    as root. What exactly are you doing?

    Mathias
    Mathias Waack, Aug 25, 2004
    #3
  4. > Using PAM is definitively not the reason why your process must be run
    > as root. What exactly are you doing?


    Well, I started fiddling around with pam, and found that when running it as
    user the only one I could authenticate was the user the process ran with.

    Then I asked about that on the pam mailinglist, and somebody told me that
    root rights are necessary.

    PAM is not very well documented - if you can point me into the right
    direction how to make it work for a normal user, and maybe even have some
    meta-data attached to a user (e.g. grouplist), your very welcome!

    The following script is authenticating every user if run as root. The
    service "claros" is defined like this:

    auth required pam_unix.so
    account required pam_access.so


    Here comes the script.

    import PAM

    def authenticate(user, password):
    class AuthConv:
    def __init__(_, password):
    _.password = password

    def __call__(_, auth, query_list, userData):
    print "AuthConv called, pwd: %s" % _.password
    resp = []
    for query, qt in query_list:
    if qt == PAM.PAM_PROMPT_ECHO_ON:
    resp.append((_.password, 0))
    elif qt == PAM.PAM_PROMPT_ECHO_OFF:
    resp.append((_.password, 0))
    elif qt == PAM.PAM_PROMPT_ERROR_MSG or type ==
    PAM.PAM_PROMPT_TEXT_INFO:
    print query
    resp.append(('', 0))
    else:
    return None
    return resp


    auth = PAM.pam()
    auth.start("claros")
    auth.set_item(PAM.PAM_USER, user)
    auth.set_item(PAM.PAM_CONV, AuthConv(password))
    try:
    auth.authenticate()
    auth.acct_mgmt()
    print "Authentication successful"
    except PAM.error, resp:
    print 'Go away, %s! (%s)' % (user, resp)
    raise


    authenticate("user", "pwd")

    --
    Regards,

    Diez B. Roggisch
    Diez B. Roggisch, Aug 25, 2004
    #4
  5. Diez B. Roggisch wrote:

    >> Using PAM is definitively not the reason why your process must be
    >> run as root. What exactly are you doing?

    >
    > Well, I started fiddling around with pam, and found that when
    > running it as user the only one I could authenticate was the user
    > the process ran with.


    Ok, my fault - you're right. If you are going to authenticate a local
    user you usually need read access to /etc/shadow.

    The easiest way to work around is using an existing tool like login
    or su. They do the PAM stuff for you.

    Mathias
    Mathias Waack, Aug 26, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    12
    Views:
    1,613
    Dave Thompson
    Jan 10, 2005
  2. Replies:
    18
    Views:
    607
    Dave Thompson
    Jan 10, 2005
  3. Replies:
    1
    Views:
    223
    Joe Kaplan \(MVP - ADSI\)
    Jun 14, 2006
  4. Replies:
    3
    Views:
    356
  5. Robert Wallace

    my own perl "dos->unix"/"unix->dos"

    Robert Wallace, Jan 21, 2004, in forum: Perl Misc
    Replies:
    7
    Views:
    264
    Michele Dondi
    Jan 22, 2004
Loading...

Share This Page