UNIX: How to determine the authentication domain of a user ? - Security

This is a discussion on UNIX: How to determine the authentication domain of a user ? - Security ; Hi, Suppose if there are two user accounts with the same name (vprabhu on local (i.e. files) as well as NIS), then /etc/nsswitch.conf determines which domain to authenticate against. However, depending on the OS (for example authconfig settings in linux) ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: UNIX: How to determine the authentication domain of a user ?

  1. UNIX: How to determine the authentication domain of a user ?

    Hi,

    Suppose if there are two user accounts with the same name (vprabhu on
    local (i.e. files) as well as NIS), then /etc/nsswitch.conf determines
    which domain to authenticate against. However, depending on the OS
    (for example authconfig settings in linux) can alter the nsswitch.conf
    procedure.

    For example,

    cat /etc/nsswitch.conf|grep passwd
    passwd: nis files

    then if vprabhu logs in it will be authenticated against NIS. However,
    if authconfig settings are "Local authorization is sufficient" is ON,
    it will authenticate against FILES.

    Now, given this situation, how do we reliably know against which
    domain (local/NIS) a user has authenticated against while logging in ?
    If there is a POSIX API or portable API or even OS commands across
    major UNIX versions please let us know.

    Thanks,

    Gaurab

  2. Re: UNIX: How to determine the authentication domain of a user ?

    On 7 Feb, 03:22, "vasantha.prabhu" wrote:
    > Hi,
    >
    > Suppose if there are two user accounts with the same name (vprabhu on
    > local (i.e. files) as well as NIS), then /etc/nsswitch.conf determines
    > which domain to authenticate against. However, depending on the OS
    > (for example authconfig settings in linux) can alter the nsswitch.conf
    > procedure.
    >
    > For example,
    >
    > cat /etc/nsswitch.conf|grep passwd
    > passwd: nis files
    >
    > then if vprabhu logs in it will be authenticated against NIS. However,
    > if authconfig settings are "Local authorization is sufficient" is ON,
    > it will authenticate against FILES.
    >
    > Now, given this situation, how do we reliably know against which
    > domain (local/NIS) a user has authenticated against while logging in ?
    > If there is a POSIX API or portable API or even OS commands across
    > major UNIX versions please let us know.
    >
    > Thanks,
    >
    > Gaurab


    You don't. You'd need to rewrite the pam modules in your chain to set
    a flag somewhere but its an ugly way to solve a silly problem

    C.

  3. Re: UNIX: How to determine the authentication domain of a user ?

    On Fri, 2008-02-08 at 05:04 -0800, C. wrote:
    ....
    >
    > You don't. You'd need to rewrite the pam modules in your chain to set
    > a flag somewhere but its an ugly way to solve a silly problem


    The main problem is pam_unix (or pam_unix2) which uses nsswitch.
    If every auth was just a pam stack module, you could insert a dummy
    module inside of the stack order to determine at what level
    a user achieved auth.

    But since NIS and files was mentioned... that's all pam_unix*.



+ Reply to Thread