[asterisk-dev] Introduction to ASA - the Asterisk Security Architecture

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Oct 14 09:09:55 CDT 2008


On Tue, Oct 14, 2008 at 12:57:19PM +0200, Vadim Lebedev wrote:

> What do you think about possibility to use PAM for  authentication?

PAM is portable (works just about anywhere except OpenBSD and legacy or 
non-UNIX OSes), which is why it looks like a very good thing to use. 

PAM can be used for authentication. But just that. It provides no
further information. On Linux you'll find a specific pam module
(e.g. pam_ldap) accompanied by a glibc nss (name service switch) module
(e.g. nss_ldap) that can resolve relevant names.

If you want to check the passwords of system users you must be root.
This led many daemons to set aside a small authentication process that
runs as root and talks with the rest of the daemon through a socket. The
rest of the daemon does not run as root. I do not want Asterisk to run
as root merely for authenticating system users. Though if somebody
writes the code for auch a subprocess: no problems.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list