> Few modern OSs have the 'setpwfile()' function, and none that I know of
> will do it for shadow.
Is there a reason for this? It seems a useful feature...especially for
secondary authentication servers. Someone suggested it might introduce
new security holes, but I really don't see how.
> What you can do is grab a copy of any shadow login source and chop out
> the getpwnam() and getspnam() functions, change where they look for the
> file, and link them into your radiusd.
For Linux at least, these functions are implemented in libshadow, and
rather than link a new version of them into radiusd, I just hacked
libshadow and installed the new one, and considered it an upgrade :)
> BTW, you also want to look at the code in those two functions where it
> checks if the file is already open, and if not, reopens it. If you intend
> to occasionally replace the 'passwd' and 'shadow' files, you want to
> change the code so the files are CLOSED after each access, or else you
> will need to KILL and restart radiusd every time you load a new copy of
> those two files.
This confuses me. I see no code in radiusd or libshadow that would seem
responsible for closing the shadow file after doing a lookup (just did a
quick look), but a look in /proc/[radiusd's pid]/fd tells me radiusd is
not holding the shadow file open. I checked with strace, and that
explained it. Since I'm runing radiusd the default way, each new auth
request forks a radiusd process, and that process opens the applicable
files, does its stuff, and terminates, closing (I suppose implicitly) the
files...so there is no problem with my scp'ing the shadow and users files
in every 30 minutes.
> I'd suggest using them both, just in case you delete a user from passwd
> and forget to remove them from the shadow file.
I try to never hand edit the passwd/shadow files, so that's not really a
problem, and since I didn't want to tackle libc or put all users in the
secondary's real passwd file, I had to give up passwd file lookups.
> While you're hacking up radiusd for your backup server, if you're using
> the code for changing passwords (I hear this is removed in the forthcoming
> release of Livingstons radius), you want to disable this on the backup
I don't use that at all. If users want to change their password, they
have shell on the primary radius server and can use passwd.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______