I recently switched all of my systems over to using libnss-mysql for all authentication. So far everything has worked without having to be changed except for my existing apache2 auth_pam setup. Are there any special considerations that need to be made for apache and the auth_pam module?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I would imagine auth_pam should work so long as you have a pam config which includes pam_unix (assuming Linux).
I'd need more details on your os/distro/pam config before I could get more detailed...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I found a workaround. In the libnss-mysql source, there is a call to getuid in an if statement that basically enforces the policy that a non-root user can never obtain shadow information. I disabled this condition so that the file permissions of /etc/libnss-mysql-root.cfg will govern this instead.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I recently switched all of my systems over to using libnss-mysql for all authentication. So far everything has worked without having to be changed except for my existing apache2 auth_pam setup. Are there any special considerations that need to be made for apache and the auth_pam module?
I would imagine auth_pam should work so long as you have a pam config which includes pam_unix (assuming Linux).
I'd need more details on your os/distro/pam config before I could get more detailed...
I found a workaround. In the libnss-mysql source, there is a call to getuid in an if statement that basically enforces the policy that a non-root user can never obtain shadow information. I disabled this condition so that the file permissions of /etc/libnss-mysql-root.cfg will govern this instead.
I wonder if the "SSH Privilege Separation" thread is related? Would you be willing to try the latest CVS to see if that does the trick for you?
I wonder if the "SSH Privilege Separation" thread is related? Would you be willing to try the latest CVS to see if that does the trick for you?
I wonder if the "SSH Privilege Separation" thread is related? Would you be willing to try the latest CVS to see if that does the trick for you?