Problem
- Product Name: VisiBroker 7.0 Core - Production per CPU server
- Version: Visibroker for Java (VBJ) 7.0
- Component: VisiSecure
- Platform: Linux SUSE ES9.0
Fail to set up nameserver to authenticate clients against operating system user database. Used com.borland.security.provider.authn.HostLoginModule as login module in example examples\\vbroker\\security\\ins\\method_level_auth. Tried with several known users, every time got following exception:
Enter authentication information for realm myrealm
Enter username: nameserver
Enter password:
org.omg.CORBA.NO_PERMISSION: Exception during loginLogin failed Password credentials for nameserver in target realm myrealm vmcid: 0x0 minor code: 0 completed: No
at com.borland.security.core.IdentityServicesImpl.login(IdentityServicesImpl.java:1072)
at com.borland.security.core.IdentityServicesImpl.login(IdentityServicesImpl.java:863)
at com.borland.security.core.ContextImpl.login(ContextImpl.java:199)
at com.borland.security.core.ContextImpl.login(ContextImpl.java:187)
at com.borland.security.core.ContextImpl.login(ContextImpl.java:182)
at com.borland.security.core.Init.pre_init(Init.java:608)
at com.inprise.vbroker.orb.ORB.initialize(Unknown Source)
at com.inprise.vbroker.orb.ORB.set_parameters(Unknown Source)
at org.omg.CORBA.ORB.init(ORB.java:337)
at com.inprise.vbroker.naming.ExtFactory.main(Unknown Source)
Resolution
Explanation of source/ cause
VisiSecure does not support shadow password by default. HostLoginModule reads /etc/passwd which is a shadow password file, and the actual password hashes are in /etc/shadow file. VisiSecure for Java is making use of native call (i.e. C function system calls) to implement the host login. These native calls are similar to VisiSecure C , so both VisiSecure for C and Java behaves similarly in this respect. The API getpwnam_r() is used to extract and authenticate the username/password gotten from user against the system Host.
One of the reason why we do not implement this feature is because shadow password APIs are not POSIX compliant and are relatively new, not all systems might be having those APIs and hence including them might cause binary compatibility issues.
On UNIX platforms, the HostLoginModule shipped with VisiSecure for UNIX platforms utilizes simple APIs defined in the POSIX standard header file pwd.h that is uniform on almost all UNIX platforms. For deployments that demand higher security measures, more advanced shadow password APIs are available. One problem with this, however, is that the process calling the APIs must run as root. More over, the APIs are not in POSIX standard and therefore the login module code will be less portable. To write your own login module based on shadow password APIs on Linux, for example, you can use the APIs that are declared in the system header file shadow.h. Please consult the -man (manual) page on your Linux system.
Workaround/ Alternatives
HostLogin is provided as part of out-of-box facility, but one may need to customize it in order to cater to a particular user"s Host System. User can choose to create their own version of HostLoginModule that works with their environment as VisiBroker provide plugins API to work with, an example is in examples/vbe/security/custom. As a workaround, we would need to write a custom login module that makes use of shadow password APIs.
i) Write the existing HostLogin module as a client-server software. Use some IPC mechanism (shared memory, pipes, etc) for communication. Run the server as root. The server is the one that will do the getpwnam_r() or getspnam_r() and crypt() calls to check both the /etc/passwd and /etc/shadow to authenticate UP. The server can be setup at VisiBroker install to be part of a startup script. The server should check both password databases using both getpwnam_r() and getspnam_r(). The client part will only communicate the UP data to the server and will run as part of our CORBA client/server program as a normal user, as is usually the case.
ii) Write 2 host login modules and call them HostLoginNormal and HostLoginShadow, for example. In other words, the current implementation will be HostLoginNormal.
#VisiBroker
#Security
#HostLoginModule
