Authenticate loginID/Password if not 'root'
We have a server implemented in C where we would like to improve authentication when a client requests service (via an SSL connection).
The client can run from anywhere but will be updated to send a LoginID/password (over the encrypted link), but how can we verify this?
Actual Linux authentication is setup in LDAP. Attempts to use 'getpwnam(...)' and other similar functions have all failed -- since we do not (and don't want to) run the server as 'root', these return 'x' instead of the encrypted password. In fact, we'd rather not even retrieve the encrypted password in the first place.
Is there any function such as:
canLogin(final char *login, final char *pwd)
which would run at a non-root level but still authenticate the given login/pwd and return either 0 or an error code (or possibly the UID of the user if it verifies OK)?
Essentially, 'canLogin' verifies that if this login/pwd were presented at a normal Login: prompt, then the login would be accepted.
We understand the potential hacking problem, so would expect some built-in time delay to prevent a rapid series of calls.
The only other solution appears to be forking another process and use SU to 'root' to gather the data, but this appears both messy and a potential security breach.
Thanks for any suggestions.
|