Forum OpenACS Development: new module proposal for external authentication

We have one slight issue with the ns_pam module.  When attempting any authentication that requires access to /etc/shadow (many UNIX systems out there using shadow passwors) it is required to be able to read /etc/shadow.  This obviously requires the running program to be root.  AOLserver will not allow itself to be run as root.

Now there is a solution related to modify the rights on /etc/shadow but security wise I would not recommend it and don't consider it a serious solution.

I'm currently writing, in addition to ns_pam, ns_extauth.

ns_ext_auth auth username password

This program will run an external authentication program
control by AOLserver configuration options:

ns/server/${servername}/module/nsextauth
ns_param ExternalAuthProgDir "/directory/containing/auth/program"
ns_param ExternalAuthProg    "executable name"
ns_param ExternalAuthArgs    "arguments to external auth program"
ns_param ExternalAuthCacheTime "seconds to store authentication cache"

The external auth program would be a checkpassword compatible program

http://cr.yp.to/checkpwd.html
http://cr.yp.to/checkpwd/interface.html

ns_ext_auth would return the same information ns_pam.

This would have the extra expense of executing an external
program for each authentication, it allows the external program to be set as suid root to access shadow password information.  This will still allow pam access if the server is configured to us PAM and as an additional bonus will allow programs such was vmailmgr (http://www.vmailmgr.org/) and vpopmail (http://www.inter7.com/vpopmail.html) to be used for authentication also which could prove to be useful to dotWrk (as these are virtual hosting applications for email).

To improve performance I'll also add authentication results caching. Once a user id is authentication or has failed three times we can create a cache that saves that result for a specific time perioid (controlled by a configuration setting).  The module will have a reset cache options to reset a user in the cache or reset the entire cache:

ns_ext_auth resetcache username
ns_ext_auth resetcacheall

This should save on some of the expense of executing an external program.

Comments?