Re: Emerald Questions

Greg Boehnlein ( )
Tue, 4 Mar 1997 03:06:37 -0500 (EST)

On Tue, 4 Mar 1997, David Khoury wrote:

> >Subject: Emerald UX
> >
> >Hello all,
> > I'm trying to figure out how to interface my Linux box with my
> >Emerald server. I'm running 2.0.88, but I'm a bit stumped.
> I agree ... the docs for Emerald UX are VERY skimpy. They don't have to
> be pretty, just thorough ... at least explaining how the system works so
> that we can figure out the rest :)

I talked briefly with Dale today and we talked about his plans for the
future for External Systems.

What we have now is a way to export to a flat file. This file needs to be
parsed and then acted upon via the Unix box. There are a couple of SERIOUS
problems with this..

1. Passwords are all plain-text.
2. Passwords are stored for extended periods of time on the server in
plain text format. In fact, EmeraldUX keeps a "processed" log w/ a
list of all the names, passwords etc.

I'm sorry, but this method is unacceptable for obvious security reasons.
The passing and writing of Plain Text passwords is not something that I
look fondly upon, even if the share is protected well.

Dale, what options do we have for creating passwords that are already
"crypted" into a standard format? I'm not talking anything like MD-5, just
a standard basic Unix passwd that can be easily shoved into the
/etc/passwd or /etc/shadow file without any additional modifications.

Here at NACS, we use RedHat linux 4.1 w/ Pam 0.56 and Shadow Passwords.
It's easy enough to write a program to parse the output of Emerald and
Add, Delete and Modify users.

After looking at the EmeraldUX code, it made my scalp creep. It needs
help. Serious help. I'll be writing something to allow some external
configuration and modularization of the code. If I get really industrious,
I'll add ODBC support to it and have it pull the data directly from the

In fact, that would be a MUCH better option. It wouldn't be that difficult
to write a program that simply queried the database directly, discovered
what accounts needed to be updated and then parsed them one by one. This
way, you could avoid the security problems of writing clear text passwords
directly to a filesystem AND use much of the ready made source code out
there to do the grunt work.

Hmmm... Would it be possible to get the queries that you use to build the
changed accounts files? I believe I've got an ODBC driver that can connect
to MS-SQL from Linux around here somewhere....

--      President of New Age Consulting Service, Inc.  Cleveland Ohio             SLIP/PPP/Unix Shell   28.8k / ISDN / Leased Line    (216)-524-8414