On Wed, May 05, 2004 at 01:49:46AM -0400, Ben Chabot wrote: > Sorry if this is somewhat offtopic, but it has to do with checkpassword, > and I thought someone here could really help me out. > > First, how secure is checkpassword? > > Second, I posted a while ago (and it was revised for me thankfully!) a > checkpassword.pl script that rewrote usernames based on sendmail's > virtusertable. And it seems to work really well for me so far (I'm not > sure how it's going to go when virtusertable gets bigger, but I could > probably rewrite usernames off a DB at that point), translating email > address to usernames so the full email address can be used for pop or > imap.
This is the vpopmail (common virtual domain package used with qmail) approach as well. > At any rate, I'd like to do the same thing with ssh (sftp really). Just > for the simplicity of doing everything with one's email address. I'm a > bit confused as to how checkpassword.pl would be called from C though. > I believe I have found the code where sshd authenticates passwords > (auth_passwd.c), so basically it looks like, instead of encrypting the > password and matching against the password from /etc/shadow, I need to > call checkpassword.pl here and pass it the username and password > supplied by the user, it will rewrite them to the real username and tell > me if they are good or not. > > This sound about right? Well, yes and no. OpenSSH has a whole lot of code to do authentication for a reason - it can sometimes be pretty complex. If you can leave it unmodified and still get the same result that would be very good. Maybe you could try doing some PAM trickery? //Peter
