christi.scarborough@??? said:
> This would be kind of bizzare, and would seem to defeat the purpose of
> PAM somewhat. That doesn't mean it's not true, however.
A helper binary, pwdb_chkpwd, is provided to check the user's
password when it is stored in a read protected database. This
binary is very simple and will only check the password of the
user invoking it. It is called transparently on behalf of the
user by the authenticating component of this module. In this
way it is possible for applications like xlock to work without
being setuid-root.
Shadow passwords are there so only root can see the crypted password.
Allowing the user to check against their own password makes some sense,
but wider access risks people being able to brute force shadow
passwords just like normal ones...
Nigel.
--
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
