Check Password Against External DB

[David Teston]

Hi All,

My company runs an application that hashes/encrypts user passwords in a
central postgres DB. I have a bash script that can be run remotely to check
a username and password against it:
./script.sh <user> <plaintext_pass>

The end goal is to store the username and encrypted password on the
local FR postgres DB, but always/only check the password against the
central DB. This will account for any password/permissions changes that
occur on the application DB.

My fear is that I will not be able to use EAP or CHAP (and their various
sub-types) because of client-side password hashing. It seems that PAP will
be the only usable solution because it would still provide the server with
a plaintext password to be passed into the script. But I run into security
issues with PAP.

Does anyone know of a proper method that would allow me to check all user
credentials against the external DB while still remaining secure throughout
the entire process?

Thanks in advance,
David

--
David Teston
PINES System Administrator