First, a comment. I'm surprised, and yet not surprised, that a lot of PD
software (CAP, samba, wuftp, ipop3d, etc.) doesn't use the SIA routines
for authentication but instead read the protected database and use
bigcrypt. I'm surprised because we're actually using things like password
expiration and administrative locks, so just checking the password doesn't
cut it--the password could be correct but the account suspended and they
shouldn't be able to get in. I'm not surprised because the SIA routines
were very poorly documented in the 3.x manuals and are not much better in
the 4.x ones.
With the man pages and a little guessing we worked out a system that
worked pretty well. We did all the normal steps up to sia_ses_estab,
which would tell us whether they were suspended or expired, but not
sia_ses_launch, which changes UID and logs in wtmp, etc. This worked
pretty well. However, in 4.x there is a problem. Back in the
sia_ses_authent routine (the one that checks if the password is correct),
if the password is incorrect, it increments the number of bad logins.
However, since we don't run the sia_ses_launch routine (which presumably
clears the number of bad logins) the number of bad logins never gets
cleared (unless they happen to login via telnet or something).
One option may be to move to a different routine. sia_validate_user seems
to be new to 4.x, but that just calls sia_ses_reauthent. I haven't
experiented with this yet because it says that it just checks the
password; I don't know what it does about suspended and expired accounts.
I guess I need to write a test program to check it out.
Anyone else have any experience with this? Any ideas?
John Peterson -- University Computing Services -- Brigham Young University
Internet: John_Peterson_at_byu.edu Phone: (801) 378-5007
Received on Mon Feb 24 1997 - 23:10:53 NZDT