Re: Secondary radius server

Kevin Kadow (kadokev@ripco.com)
Fri, 11 Oct 1996 23:57:22 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Charles Scott: "Re: GTE?"
Previous message: Jon Lewis: "Re: Secondary radius server"

> > Few modern OSs have the 'setpwfile()' function, and none that I know of
> > will do it for shadow.
>
> Is there a reason for this? It seems a useful feature...especially for
> secondary authentication servers. Someone suggested it might introduce
> new security holes, but I really don't see how.

It makes it SLIGHTLY easier to add security holes. Without the command,
the pathnames to shadow and passwd are compiled in as static strings in
the library, with setpwfile(), by definition they can be changed. I
don't know of any security hole or exploits that relies on setpwfile...

> > What you can do is grab a copy of any shadow login source and chop out
> > the getpwnam() and getspnam() functions, change where they look for the
> > file, and link them into your radiusd.
>
> For Linux at least, these functions are implemented in libshadow, and
> rather than link a new version of them into radiusd, I just hacked
> libshadow and installed the new one, and considered it an upgrade :)

Makes sense.

We'll see how well all this works with the new Radius (soon, I hope)

Next message: Charles Scott: "Re: GTE?"
Previous message: Jon Lewis: "Re: Secondary radius server"