Thread: Authentication against /etc/passwd?

Authentication against /etc/passwd?

From
Date:
Is there any way to authenticate users against the /etc/passwd (or
/etc/shadow) file rather than the pg_shadow table? Is there any good
reason for *not* wanting to do this (other than the general badness of
sending passwords in plain text across the network, that is...)?

Adrian Jackson


Re: PAM support? (was: Authentication against /etc/passwd?)

From
"Anthony E . Greene"
Date:
On Wed, 21 Mar 2001 10:38:28 Adrian.Jackson@ioshq.com wrote:
>Is there any way to authenticate users against the /etc/passwd (or
>/etc/shadow) file rather than the pg_shadow table? Is there any good
>reason for *not* wanting to do this (other than the general badness of
>sending passwords in plain text across the network, that is...)?

PAM support might be a better option. I looked around the 'Net and around
the Web site and could not find any information indicating whether or not
someone is working on this.

Tony
--
Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
Chat:  AOL/Yahoo: TonyG05    ICQ: 91183266
Linux. The choice of a GNU Generation. <http://www.linux.org/>

Re: Authentication against /etc/passwd?

From
Tom Lane
Date:
<Adrian.Jackson@ioshq.com> writes:
> Is there any way to authenticate users against the /etc/passwd (or
> /etc/shadow) file rather than the pg_shadow table? Is there any good
> reason for *not* wanting to do this

Postgres users are not the same as Unix users --- there's no
particularly good reason to assume that remote users of your
database will have accounts on the server machine.  (In fact,
I'd say it's a more secure setup if they *don't*.)

There's also the small point that on well-secured systems, the
real passwords aren't in /etc/passwd at all, and the postmaster
certainly should not have privileges to read /etc/shadow.

If you insist on doing this (and you keep passwords in /etc/passwd),
I believe it would work to set up password auth with a flat password
file that's just a symlink to /etc/passwd.  The format is deliberately
chosen to be compatible...

            regards, tom lane