I see.
In summary, PAM is still difficult for using two passwords for two different ways, right?
I will try to read more about PAM to see if so.
Thanks.
On 5/30/07, Les Mikesell <lesmikesell@gmail.com> wrote:
Wei Yu wrote:
> Could you give more details? I am not familiar with PAM.
> I know it can use some "plugged" auth methods to do some job, but I do
> not know which plug is suitable.
If you are running Centos, all of your system authentication is probably
being done by PAM for all programs that take a login and password except
for apache. If you run 'authconfig' you can set one or more methods
that are then used by everything. However, each service may still be
configured separately. If you look in the /etc/pam.d directory you will
see a file for each service that contains the steps to follow. The
references to system-auth include the list built by authconfig - but you
can change it per file if you want.
> What I want is just like Richardson's remarks. I want to use two auth
> methods for web users and users who can have a shell, which the former
> will care less about the security of the password. e.g. two different
> passwords for them.
> I do want to know if there are better solutions.
If you really want your web access to be separate, PAM may not be the
way to go. Apache has a large number of internal authentication and
authorization modules that can be used instead. However, if you want to
combine them, you can install the mod_auth_pam apache module and use a
/etc/pam.d/httpd file like:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_permit.so
This uses the set of steps configured by authconfig to check a
login/password pair but does not require any account info. In my case I
have smb authentication against a windows domain plus local linux
accounts configured for the system. (The local account access requires
making the /etc/shadow file readable by apache which is a downside).
This lets anyone in the windows domain log in for web services but
services like ssh or other login facilities will require account entries
that won't exist unless I add users to the system. In the latter case,
either the domain or local passwords will work.
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
--
Zijing 15# 1404B Tsinghua Univ.
+86 -10 -51537235
Zig