That sounds right.. we need to have a PAM module which will take the
password encrypted with blowfish cipher and authenticate it
and then we should put that in the pam stack in the pam.conf file.

Manoj



"Ian Michael
Gumby"
<im_gumby@hotmail To
.com> Manoj Mohan/Lenexa/IBM@IBMUS,
mikz2001@mail.ru
10/31/2007 10:59 cc
AM informix-list-bounces@iiug.org,
informix-list@iiug.org
Subject
Re: Pam for encrypt password











I don't think the problem is in Informix per se.

The OP changed their encryption from "traditional" to "blowfish".
The OP states that the "traditional" passwords were authenticated, while
the
"blowfish"
passwords could not be authenticated.

What it sounds like is that when he calls PAM, he should have the module
order include the module to authenticate using "blowfish" and then callthe

module to authenticate via "traditional".

I'm going to assume that he wants to authenticate against either and its
down within PAM that he needs to make the changes.


>From: Manoj Mohan <manojm@us.ibm.com>

>I am not sure what exactly you mean by the blowfish part.
>However, since you have configured "other" service and other service is
>configured to do traditional authentication,
>that is most probably the reason why all traditional UNIX authentication
is
>passing for you.
>
>other auth requisite pam_authtok_get.so.1
>other auth required pam_dhkeys.so.1
>other auth required pam_unix_auth.so.1.
>
>Manoj
>
>
>
> mikz2001@mail.ru
> Sent by:
> informix-list-bou
To
> nces@iiug.org informix-list@iiug.org
>
cc
>
> 10/31/2007 03:43
Subject
> AM Pam for encrypt password
>
>
>
>
>
>
>
>
>
>
>Hello, all.
>
>I have problem with PAM (Pluggable Authentication Module).
>I have IBM Informix Dynamic Server Version 9.40.UC8 on Solaris 9.
>I can't to adapt Informix for users authorization by PAM.
>In the past he used the traditional UNIX encryption algorithm for
>encrypting passwords for /etc/shadow. But encryption algorithm was
>changed one month ago on Blowfish.
>Now we have situation:
>
>In sqlhosts we have
>Ids_serv ontlitcp mach sqlexec1
>s=4,pam_serv=(other) ,pamauth=(password)
>
>All users with password which was encrypted by traditional UNIX
>encryption algorithm authorize successfully. But all users with
>password which was encrypted by Blowfish get error -1812.
>
>How I can adapt Informix for users authorization by PAM with Blowfish.
>
>PAM.CONF
>login auth requisite pam_authtok_get.so.1
>login auth required pam_dhkeys.so.1
>login auth required pam_unix_auth.so.1
>login auth required pam_dial_auth.so.1
>#
># rlogin service (explicit because of pam_rhost_auth)
>#
>rlogin auth sufficient pam_rhosts_auth.so.1
>rlogin auth requisite pam_authtok_get.so.1
>rlogin auth required pam_dhkeys.so.1
>rlogin auth required pam_unix_auth.so.1
>#
># rsh service (explicit because of pam_rhost_auth,
># and pam_unix_auth for meaningful pam_setcred)
>#
>rsh auth sufficient pam_rhosts_auth.so.1
>rsh auth required pam_unix_auth.so.1
>#
># PPP service (explicit because of pam_dial_auth)
>#
>ppp auth requisite pam_authtok_get.so.1
>ppp auth required pam_dhkeys.so.1
>ppp auth required pam_unix_auth.so.1
>ppp auth required pam_dial_auth.so.1
>#
># Default definitions for Authentication management
># Used when service name is not explicitly mentioned for
>authenctication
>#
>other auth requisite pam_authtok_get.so.1
>other auth required pam_dhkeys.so.1
>other auth required pam_unix_auth.so.1
>#
># passwd command (explicit because of a different authentication
>module)
>#
>passwd auth required pam_passwd_auth.so.1
>#
># cron service (explicit because of non-usage of pam_roles.so.1)
>#
>cron account required pam_projects.so.1
>cron account required pam_unix_account.so.1
>## Default definition for Account management
># Used when service name is not explicitly mentioned for account
>management
>#
>other account requisite pam_roles.so.1
>other account required pam_projects.so.1
>other account required pam_unix_account.so.1
>#
># Default definition for Session management
># Used when service name is not explicitly mentioned for session
>management
>#
>other session required pam_unix_session.so.1
>#
># Default definition for Password management
># Used when service name is not explicitly mentioned for password
>management
>#
>other password required pam_dhkeys.so.1
>other password requisite pam_authtok_get.so.1
>other password requisite pam_authtok_check.so.1
>other password required pam_authtok_store.so.1
>#
># Support for Kerberos V5 authentication (uncomment to use Kerberos)
>#
>#rlogin auth optional pam_krb5.so.1 try_first_pass
>#login auth optional pam_krb5.so.1 try_first_pass
>#other auth optional pam_krb5.so.1 try_first_pass
>#cron account optional pam_krb5.so.1
>#other account optional pam_krb5.so.1
>#other session optional pam_krb5.so.1
>#other password optional pam_krb5.so.1 try_first_pass
>
>
>
>
>POLICY.CONF
> # Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved.
># Use is subject to license terms.
>#
># /etc/security/policy.conf
>#
># security policy configuration for user attributes. see
>policy.conf(4)
>#
>#ident "@(#)policy.conf 1.6 02/06/19 SMI"
>#
>AUTHS_GRANTED=solaris.device.cdrw
>PROFS_GRANTED=Basic Solaris User
>
># crypt(3c) Algorithms Configuration
>#
># CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
># be used for new passwords. This is enforced only in
>crypt_gensalt(3c).
>#
>CRYPT_ALGORITHMS_ALLOW=1,2a,md5
>
># To deprecate use of the traditional unix algorithm, uncomment below
># and change CRYPT_DEFAULT= to another algorithm. For example,
># CRYPT_DEFAULT=1 for BSD/Linux MD5.
>
>_______________________________________________
>Informix-list mailing list
>Informix-list@iiug.org
>http://www.iiug.org/mailman/listinfo/informix-list
><< graycol.gif >>
><< pic12812.gif >>
><< ecblank.gif >>


>_______________________________________________
>Informix-list mailing list
>Informix-list@iiug.org
>http://www.iiug.org/mailman/listinfo/informix-list

__________________________________________________ _______________
Boo!*Scare away worms, viruses and so much more! Try Windows Live OneCare
http://onecare.live.com/standard/en-...wl_hotmailnews