authentication service for unix

[Diez B. Roggisch]

Hi,

this is not so much a python question, but as my app is developed in python,
I'll ask anway.

I'm looking for a method to authenticate users for a corba application
server, running under linux. I want to be able to authenticate users that
are valid unix users. Having role/group information would be nice later on.

Currently I use PAM, but thats not so good as I have to run the process as
root - but for obvious reasons I don't especially like that idea.

Any ideas? May ladp of any use here? Saslauthd seems to look good, but so
far I haven't found a binding.

 

[Paul Rubin]

I'm looking for a method to authenticate users for a corba application
server, running under linux. I want to be able to authenticate users that
are valid unix users. Having role/group information would be nice later on.

AF_UNIX sockets under Linux provide an "ancillary message" operation
that lets you check the user id of the process at the other end of a
socket. Unfortunately, Python's socket module doesn't support that
operation. I have a Sourceforge bug in about it and may someday get
around to writing a patch, but of course you're welcome to do it first .

 

[Mathias Waack]

Hi,

this is not so much a python question, but as my app is developed
in python, I'll ask anway.

I'm looking for a method to authenticate users for a corba
application server, running under linux. I want to be able to
authenticate users that are valid unix users. Having role/group
information would be nice later on.

Currently I use PAM, but thats not so good as I have to run the
process as root - but for obvious reasons I don't especially like
that idea.

Using PAM is definitively not the reason why your process must be run
as root. What exactly are you doing?

Mathias

 

[Diez B. Roggisch]

Using PAM is definitively not the reason why your process must be run

as root. What exactly are you doing?

Well, I started fiddling around with pam, and found that when running it as
user the only one I could authenticate was the user the process ran with.

Then I asked about that on the pam mailinglist, and somebody told me that
root rights are necessary.

PAM is not very well documented - if you can point me into the right
direction how to make it work for a normal user, and maybe even have some
meta-data attached to a user (e.g. grouplist), your very welcome!

The following script is authenticating every user if run as root. The
service "claros" is defined like this:

auth required pam_unix.so
account required pam_access.so


Here comes the script.

import PAM

def authenticate(user, password):
class AuthConv:
def __init__(_, password):
_.password = password

def __call__(_, auth, query_list, userData):
print "AuthConv called, pwd: %s" % _.password
resp = []
for query, qt in query_list:
if qt == PAM.PAM_PROMPT_ECHO_ON:
resp.append((_.password, 0))
elif qt == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((_.password, 0))
elif qt == PAM.PAM_PROMPT_ERROR_MSG or type ==
PAM.PAM_PROMPT_TEXT_INFO:
print query
resp.append(('', 0))
else:
return None
return resp


auth = PAM.pam()
auth.start("claros")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, AuthConv(password))
try:
auth.authenticate()
auth.acct_mgmt()
print "Authentication successful"
except PAM.error, resp:
print 'Go away, %s! (%s)' % (user, resp)
raise


authenticate("user", "pwd")

 

[Mathias Waack]

Well, I started fiddling around with pam, and found that when
running it as user the only one I could authenticate was the user
the process ran with.

Ok, my fault - you're right. If you are going to authenticate a local
user you usually need read access to /etc/shadow.

The easiest way to work around is using an existing tool like login
or su. They do the PAM stuff for you.

Mathias