[clug] Pam module restricting ranges of UIDs

Michael James michael at james.st
Tue Apr 8 11:35:39 EST 2003


Using pam I've got username/passwords being checked:
	first against the local password/shadow file
	then against a windows domain controller using krb5.

If they pass locally, they're in.  (sufficient)

Works fine even if users have different passwords in each place.
Tries one and (if necessary) tries the other.

Trouble is, windows seems to accept any password
 for some funny system accounts.
This includes one called "root".  Bad Bad Bad.

At present I'm holding the line with pam_listusers.so
 and adding them to a file /etc/windows_users.

But to save maintaining that file
 it would be better to base it on UID.

All the valid windows users have UIDs in the range 20,000 - 40,000

Anyone seen a pam module that checks UID
 or should I start extending pam_localuser.so
 to do some extra tests beside just looking for existence?

michaelj

-- 
Michael James				michael at james.st
Network Programmer			voice:	02 6246 5040


More information about the linux mailing list