From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 15:20:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD450106566C for ; Fri, 16 Sep 2011 15:20:55 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 93F748FC12 for ; Fri, 16 Sep 2011 15:20:55 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id B76941FFC35 for ; Fri, 16 Sep 2011 15:05:39 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 97F4C8452F; Fri, 16 Sep 2011 17:05:39 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Date: Fri, 16 Sep 2011 17:05:39 +0200 Message-ID: <86boukbk8s.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 15:20:55 -0000 We currently have a number of PAM modules in ports, and while some of them are specific to certain third-party software, many aren't. I believe we would benefit from importing at least some of these into base. My question is: which ones? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 17:29:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F40F7106564A for ; Fri, 16 Sep 2011 17:29:57 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id D867C8FC08 for ; Fri, 16 Sep 2011 17:29:57 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 60F8B14CCC; Fri, 16 Sep 2011 10:29:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316194197; bh=+TMBEcVdCx33MHRp2+L1w/wsyKe9c+9+tP2CNAZxFf8=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Wv6z/fCJ/Euf5kA7cuCyRU5m2ayVDdieWsBAAtCfEXdyzow5EMVzqTwUqRwiNEzo9 UidmWiFqFhKFqpfOdWbxg/VVbbv9lalVI+6hBaWCsUNt4q6V6XOEL1+252WT7Jp6sr IrcKzRWY0Av8WmlrX6eGA78JE3VhXSPjpMbjAZFw= Message-ID: <4E738794.4050908@delphij.net> Date: Fri, 16 Sep 2011 10:29:56 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <86boukbk8s.fsf@ds4.des.no> In-Reply-To: <86boukbk8s.fsf@ds4.des.no> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 17:29:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/16/11 08:05, Dag-Erling Smørgrav wrote: > We currently have a number of PAM modules in ports, and while some > of them are specific to certain third-party software, many aren't. > I believe we would benefit from importing at least some of these > into base. My question is: which ones? LDAP? (We do currently have some work on LDAP integration but not sure if the community would be interested -- this would need an import of stripped down OpenLDAP) and modifies OpenSSH to support public key in LDAP directory. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOc4eUAAoJEATO+BI/yjfBUFgH/1+fWilKMu/4YJu0X2hUpDJI EvOuG1Mx481eXAaTV+yfVaHwGs039EQIgJpk18CCC+UbCOV4kG0B0XpK5D3VdOPE nHoXB38YiiyBe+LVYg3u1YPrjPAoULK2ih4qMOki6Wbtw8EqV344BNd0a70joY+z JTnNsfJQcMKAO8RpppPxuf/yy6goRcQSMUmDCvxBiOS923vZu641kyBEzyFeC+GU BJjLTXxcBQ5V9XNGgHmp7g4nwHPNwi0aOPs6Gudgj7u3hKKEkcY//Irdac+chopF St4AJBCffsdl49TbQMYKUvTSIyUb5YeI8ixtFzwhhdGUZLEPDOvtOJNooCd1x/w= =VRQC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 17:39:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378CA106564A for ; Fri, 16 Sep 2011 17:39:52 +0000 (UTC) (envelope-from feld@feld.me) Received: from mwi1.coffeenet.org (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id F33238FC0C for ; Fri, 16 Sep 2011 17:39:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type; bh=F5Gam651grz7Web1q42BeJAhU9lpCjGX/VbvOVL9X4w=; b=DRBgsWAxDj5md15HcTux9HTdY/wy96FeStw794bNVTWhJbol5tiZLs8y73WbFF76r1CJkbO7dkBI0vNbaTDzkbPbrhazmlpH1OG2Koy2F9fyqmb6Km8lsZbkjhxvYDyY; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by mwi1.coffeenet.org with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1R4cOB-000GJ3-FD for freebsd-security@freebsd.org; Fri, 16 Sep 2011 12:39:51 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.3) with esmtpsa id 1316194781-52523-52522/4/5; Fri, 16 Sep 2011 17:39:41 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-security@freebsd.org References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> Date: Fri, 16 Sep 2011 12:39:41 -0500 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <4E738794.4050908@delphij.net> User-Agent: Opera Mail/11.51 (FreeBSD) X-SA-Score: -1.0 Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 17:39:52 -0000 On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI wrote: > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory. All of this would be greatly appreciated by myself and my fellow coworkers. From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 19:41:04 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F02F9106566B for ; Fri, 16 Sep 2011 19:41:04 +0000 (UTC) (envelope-from corsmith@gmail.com) Received: from mail-vw0-f45.google.com (mail-vw0-f45.google.com [209.85.212.45]) by mx1.freebsd.org (Postfix) with ESMTP id B08728FC08 for ; Fri, 16 Sep 2011 19:41:04 +0000 (UTC) Received: by vws17 with SMTP id 17so9267346vws.18 for ; Fri, 16 Sep 2011 12:41:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=cEjbDlV5IxirGRpDi1JOS3FEatuB0CVQGblIcbWd7zs=; b=JXEC95JxZ1s+A+97PU22wAvqQAAFbFiaKlOTPldPS5zzwjLd0KSkYAX5vFq+OzQb+F e0WmZ6YY4ZLqQVVLtW8/nCMCfFVYLxO8WUqAccaYHairMo7F0YM+ZUfcl04wt5pmr9/Z rfbKg4yz+vdNXw5nh8WKaZDmqM2sPvZPLrAP0= MIME-Version: 1.0 Received: by 10.52.94.39 with SMTP id cz7mr43058vdb.372.1316200209077; Fri, 16 Sep 2011 12:10:09 -0700 (PDT) Received: by 10.52.184.162 with HTTP; Fri, 16 Sep 2011 12:10:09 -0700 (PDT) Date: Fri, 16 Sep 2011 15:10:09 -0400 Message-ID: From: Corey Smith To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 16 Sep 2011 20:00:13 +0000 Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 19:41:05 -0000 On 09/16/2011 11:05 AM, Dag-Erling Sm=F8rgrav wrote: >=A0My question is: which ones? security/pam_ssh_agent_auth It is BSD licensed and handy for sudo. -Corey Smith From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 20:28:53 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46D1C1065670 for ; Fri, 16 Sep 2011 20:28:53 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0A0D28FC0A for ; Fri, 16 Sep 2011 20:28:52 +0000 (UTC) Received: by gxk28 with SMTP id 28so4460144gxk.13 for ; Fri, 16 Sep 2011 13:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=WV+f3TKWUQ6JJp9b9/pGo0cSiIxiUiqFclClF8yAa74=; b=jwtAJTICKK6C8mX4kI+M1ye/pxBvF6U6olNN21IPaPGQjZC3P261tGYDSywor8pGMJ l/n8fUVSRi575TL8HjiiRqf/IPNJJaVNsJ+sUzEEHA7dMpPR/e83Vb88ubI5ah2lzCfP qK9mbgSROzuQ/5rnXQkiKklhw8BNhSydOn/1s= MIME-Version: 1.0 Received: by 10.101.72.2 with SMTP id z2mr2847680ank.71.1316203329921; Fri, 16 Sep 2011 13:02:09 -0700 (PDT) Received: by 10.100.137.7 with HTTP; Fri, 16 Sep 2011 13:02:09 -0700 (PDT) In-Reply-To: <86boukbk8s.fsf@ds4.des.no> References: <86boukbk8s.fsf@ds4.des.no> Date: Fri, 16 Sep 2011 16:02:09 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 20:28:53 -0000 2011/9/16 Dag-Erling Sm=F8rgrav : > We currently have a number of PAM modules in ports, and while some of > them are specific to certain third-party software, many aren't. =A0I > believe we would benefit from importing at least some of these into > base. =A0My question is: which ones? Perhaps google authenticator? http://code.google.com/p/google-authenticator/ http://www.freebsd.org/cgi/url.cgi?ports/security/pam_google_authenticator/= pkg-descr From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 21:35:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6518D106564A for ; Fri, 16 Sep 2011 21:35:19 +0000 (UTC) (envelope-from dave@dogwood.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 27A618FC0C for ; Fri, 16 Sep 2011 21:35:18 +0000 (UTC) Received: by qyk10 with SMTP id 10so891128qyk.13 for ; Fri, 16 Sep 2011 14:35:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dogwood.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nUGUNnSUHhwVlDVm6qy9Gn34W9WjH/cjRNRdxr/PVwg=; b=CHpdfxW0mmVoOLsOiiC+zzW6oxdgU2cT+S0L2WVDLjPPx5q3Np2GC4YfycwMqcujbz c/cE0g7y+FcmaVJ4LVKOXipDcqX34ZQXHX0bho/jyKGMixj/GHChhTZqbcbd3FkkYS35 D3VAHB0Paw2ssUMy897MVmCrdZo/z5b1wTXcU= MIME-Version: 1.0 Received: by 10.224.199.197 with SMTP id et5mr2656650qab.50.1316207077174; Fri, 16 Sep 2011 14:04:37 -0700 (PDT) Received: by 10.229.235.130 with HTTP; Fri, 16 Sep 2011 14:04:37 -0700 (PDT) In-Reply-To: <86boukbk8s.fsf@ds4.des.no> References: <86boukbk8s.fsf@ds4.des.no> Date: Fri, 16 Sep 2011 11:04:37 -1000 Message-ID: From: David Cornejo To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 21:35:19 -0000 2011/9/16 Dag-Erling Sm=F8rgrav > We currently have a number of PAM modules in ports, and while some of > them are specific to certain third-party software, many aren't. I > believe we would benefit from importing at least some of these into > base. My question is: which ones? > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > Another vote for LDAP From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 21:54:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 003E1106564A for ; Fri, 16 Sep 2011 21:54:14 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id DA4C48FC13 for ; Fri, 16 Sep 2011 21:54:14 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id A2603141B3; Fri, 16 Sep 2011 14:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316210054; bh=Crq0+DeJ3T3xhlzHvBN4vziLNRf3VLjqF/SweA2c8rg=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aRE08gAIQD5chyf4pFyKSemTf38CiSWYDVIqfWWQ95VK9i8nH1wcDZLWNcGzylXO4 aONXq5sTImHStRKq628ADbWeKanjnJYNKw2hmeaYk+bgAhTg5y9FgxxQzNTt9B+2sx Jaiw/hzdogGek8BZO57d80dpe4yfz5K0lUN5uwBg= Message-ID: <4E73C583.7060408@delphij.net> Date: Fri, 16 Sep 2011 14:54:11 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Mark Felder References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> In-Reply-To: OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 21:54:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/16/11 10:39, Mark Felder wrote: > On Fri, 16 Sep 2011 12:29:56 -0500, Xin LI wrote: > >> LDAP? (We do currently have some work on LDAP integration but not >> sure if the community would be interested -- this would need an import >> of stripped down OpenLDAP) and modifies OpenSSH to support public key >> in LDAP directory. > > All of this would be greatly appreciated by myself and my fellow coworkers. I can publish the source code but note that it's for FreeBSD 8.2 and OpenLDAP needs to be updated. Changes are moderately intrusive but is in a manageable shape, it's used in production at a company who wishes to remain anonymous (the work is mostly putting together several open source models, fix bugs and they have assigned a delegate for copyright to license it under compatible license). I need to find some time to adapt the code to -HEAD and call for feedback. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOc8WDAAoJEATO+BI/yjfB9p4IAIT82Z8I+6jkhyhCL/wbcXQk KPAfpuPQCUjn1Lm2C/UUgWdBO17SYzBJUlyt1FJuDctGab18mJgvWMvjb+cUgXKH lfcxUdmBxkhwwTSE7EfB4qLphn28si67INOZN3xSVzyXuxGTqwXcO5fJlbJly77B nNS8JUu3X9tjMwGHwOWjG7R6n/bEdsmJUdWtMT2t3B6thFsStgqshTnKoBs18vPN vWdY7vdX3Mco1kjLTGoq3DZUxZyBxn75IvSSpvFLtn4T4YT22U2V0KY5h1JUsz9q MVQGLpUpudyFI8T+rzbQR3yxtv7gqgumlIuYpjF9rP0FtoQDcB2vRlMzAqM5j1o= =m5hN -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 22:05:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27A861065675 for ; Fri, 16 Sep 2011 22:05:01 +0000 (UTC) (envelope-from carlson39@llnl.gov) Received: from nspiron-1.llnl.gov (nspiron-1.llnl.gov [128.115.41.81]) by mx1.freebsd.org (Postfix) with ESMTP id 144148FC13 for ; Fri, 16 Sep 2011 22:05:00 +0000 (UTC) X-Attachments: None Received: from bagua.llnl.gov (HELO [134.9.197.135]) ([134.9.197.135]) by nspiron-1.llnl.gov with ESMTP; 16 Sep 2011 14:36:35 -0700 Message-ID: <4E73C163.9040601@llnl.gov> Date: Fri, 16 Sep 2011 14:36:35 -0700 From: Mike Carlson User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <86boukbk8s.fsf@ds4.des.no> In-Reply-To: <86boukbk8s.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 22:05:01 -0000 On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote: > We currently have a number of PAM modules in ports, and while some of > them are specific to certain third-party software, many aren't. I > believe we would benefit from importing at least some of these into > base. My question is: which ones? > > DES LDAP support out of the box would be fantastic. Mike C From owner-freebsd-security@FreeBSD.ORG Fri Sep 16 23:13:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D69A106566B for ; Fri, 16 Sep 2011 23:13:31 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) by mx1.freebsd.org (Postfix) with ESMTP id E37678FC13 for ; Fri, 16 Sep 2011 23:13:30 +0000 (UTC) Received: from kgw.obluda.cz (kgw.obluda.cz [193.179.199.50]) by smtp1.ms.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id p8GNDMDS067149 for ; Sat, 17 Sep 2011 01:13:30 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4E73D812.8000201@obluda.cz> Date: Sat, 17 Sep 2011 01:13:22 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.2) Gecko/20110908 Firefox/6.0.2 SeaMonkey/2.3.3 MIME-Version: 1.0 To: freebsd-security References: <86boukbk8s.fsf@ds4.des.no> In-Reply-To: <86boukbk8s.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 23:13:31 -0000 On 09/16/11 17:05, Dag-Erling Sm=C3=B8rgrav: > My question is: which ones? An anti-brutal force module would be nice. security/pam_af is my favorite. Configurable, fast, BSD license. Dan From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 03:49:36 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 310F11065673 for ; Sat, 17 Sep 2011 03:49:36 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id B562D8FC12 for ; Sat, 17 Sep 2011 03:49:35 +0000 (UTC) Received: by wwe3 with SMTP id 3so5526437wwe.31 for ; Fri, 16 Sep 2011 20:49:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dHbCMJoRccdMhBn71tgtAK3YIoRyeHWLk8PjK1fVj3Q=; b=kCcaOL3gPSukiaLA2iOSnz6fWkLEf4rVuyehvnioc1igFq8JDh7/LnX+6Rb7cYD0zV TxCcXMUsWow7hWpw+IEeu2Fe181vhzpIiBzI4htAUWirZxHC0sGg2tjG+fuYAosHlqWL XZ35XR4Bxv+SG6H48Ic7yQWSU74RU02nQUlbg= MIME-Version: 1.0 Received: by 10.216.157.132 with SMTP id o4mr126619wek.58.1316229916981; Fri, 16 Sep 2011 20:25:16 -0700 (PDT) Received: by 10.216.131.200 with HTTP; Fri, 16 Sep 2011 20:25:16 -0700 (PDT) Received: by 10.216.131.200 with HTTP; Fri, 16 Sep 2011 20:25:16 -0700 (PDT) In-Reply-To: <86boukbk8s.fsf@ds4.des.no> References: <86boukbk8s.fsf@ds4.des.no> Date: Fri, 16 Sep 2011 22:25:16 -0500 Message-ID: From: Brandon Gooch To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 03:49:36 -0000 On Sep 16, 2011 10:21 AM, "Dag-Erling Sm=F8rgrav" wrote: > > We currently have a number of PAM modules in ports, and while some of > them are specific to certain third-party software, many aren't. I > believe we would benefit from importing at least some of these into > base. My question is: which ones? > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no +1 for LDAP -Brandon From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 05:30:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E47D106566B for ; Sat, 17 Sep 2011 05:30:49 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2047D8FC08 for ; Sat, 17 Sep 2011 05:30:48 +0000 (UTC) Received: by iadk27 with SMTP id k27so4908444iad.13 for ; Fri, 16 Sep 2011 22:30:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=s7xhLV8odH3MbCqPtTrjjqLvG7WFENexYlatRgdQLV0=; b=JxoHp8AyFDMdlH9omiN6P5tZKoBg3JcTlfYh0IOqYij0dGIF3xxxAa2iqDctE2BrCg R6Ghac4zgNFlqrJNyaN/EIaWbLmKUydVC326t5FYSmc/SzOooF9Lz2FCoABF4f7ne/1N dSqIdxMXwMoDEEr8U9ij6bZke2DlUbzwj47Ak= Received: by 10.42.97.8 with SMTP id l8mr410425icn.3.1316237079711; Fri, 16 Sep 2011 22:24:39 -0700 (PDT) Received: from DataIX.net ([99.190.81.85]) by mx.google.com with ESMTPS id g16sm12663383ibs.8.2011.09.16.22.24.37 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 16 Sep 2011 22:24:38 -0700 (PDT) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id p8H5OZK5033020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 17 Sep 2011 01:24:35 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id p8H5OYls033019; Sat, 17 Sep 2011 01:24:34 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sat, 17 Sep 2011 01:24:34 -0400 From: Jason Hellenthal To: Brandon Gooch Message-ID: <20110917052434.GA32989@DataIX.net> References: <86boukbk8s.fsf@ds4.des.no> <20110917051827.GA27245@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20110917051827.GA27245@DataIX.net> Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 05:30:49 -0000 On Sat, Sep 17, 2011 at 01:18:27AM -0400, Jason Hellenthal wrote: > > +1 for LDAP > > On Fri, Sep 16, 2011 at 10:25:16PM -0500, Brandon Gooch wrote: > > On Sep 16, 2011 10:21 AM, "Dag-Erling Smørgrav" wrote: > > > > > > We currently have a number of PAM modules in ports, and while some of > > > them are specific to certain third-party software, many aren't. I > > > believe we would benefit from importing at least some of these into > > > base. My question is: which ones? > > > > > > DES > > > -- > > > Dag-Erling Smørgrav - des@des.no > > > > +1 for LDAP > > > > -Brandon > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Do not mean to reply to my own post but seems these offer the most IMHO benefit to the project and end-users. security/pam_jail A PAM module dropping users in jails after login security/pam_krb5 A Pluggable Authentication Module for Kerberos5 security/pam_ldap A pam module for authenticating with LDAP security/pam_mkhomedir Create HOME with a PAM module on demand security/pam_p11 A PAM module using crypto tokens for auth authenticate against Unix PAM security/pam_pwdfile A pam module for authenticating with flat passwd files security/pam_require A PAM module for restricting access based on unix group or username security/pam_smb NetBIOS domain logon PAM module security/pam_ssh_agent_auth PAM module which permits authentication via ssh-agent sysutils/pam_mount A PAM that can mount volumes for a user session From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 05:44:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D8CD1065676 for ; Sat, 17 Sep 2011 05:44:51 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id F35078FC18 for ; Sat, 17 Sep 2011 05:44:50 +0000 (UTC) Received: by iadk27 with SMTP id k27so4922481iad.13 for ; Fri, 16 Sep 2011 22:44:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=miAXs7r3QLBAR3tY1NPBd0sSS60QXATtKhWgyHcEBbw=; b=UKn3MqfKFNLn2eieDxnKx8QCiJphspVxs0nQOiJLRM+TncJcSCb8+4WKuv34ByqLXJ iveJT8s9/tLfSYSD3tE5GiinzgzJZoayD1XKNdwp1hCDzLDzfEzhjJCIm6WsKU1He1it ONjXn+oAwuabQU30ysxNpV5GtwnOMGkdSXGNE= Received: by 10.42.148.71 with SMTP id q7mr357768icv.172.1316236714092; Fri, 16 Sep 2011 22:18:34 -0700 (PDT) Received: from DataIX.net ([99.190.81.85]) by mx.google.com with ESMTPS id df21sm12643559ibb.9.2011.09.16.22.18.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 16 Sep 2011 22:18:32 -0700 (PDT) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id p8H5ITwC032765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 17 Sep 2011 01:18:29 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id p8H5ISIp032764; Sat, 17 Sep 2011 01:18:28 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sat, 17 Sep 2011 01:18:27 -0400 From: Jason Hellenthal To: Brandon Gooch Message-ID: <20110917051827.GA27245@DataIX.net> References: <86boukbk8s.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 05:44:51 -0000 +1 for LDAP On Fri, Sep 16, 2011 at 10:25:16PM -0500, Brandon Gooch wrote: > On Sep 16, 2011 10:21 AM, "Dag-Erling Smørgrav" wrote: > > > > We currently have a number of PAM modules in ports, and while some of > > them are specific to certain third-party software, many aren't. I > > believe we would benefit from importing at least some of these into > > base. My question is: which ones? > > > > DES > > -- > > Dag-Erling Smørgrav - des@des.no > > +1 for LDAP > > -Brandon > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 09:42:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34235106564A for ; Sat, 17 Sep 2011 09:42:51 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id C873A8FC15 for ; Sat, 17 Sep 2011 09:42:50 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:f803:edca:622b:8392]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 92E764AC1C; Sat, 17 Sep 2011 13:42:48 +0400 (MSD) Date: Sat, 17 Sep 2011 13:42:37 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <598207190.20110917134237@serebryakov.spb.ru> To: Xin LI In-Reply-To: <4E738794.4050908@delphij.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 09:42:51 -0000 Hello, Xin. You wrote 16 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 21:29:56: > LDAP? (We do currently have some work on LDAP integration but not > sure if the community would be interested -- this would need an import > of stripped down OpenLDAP) and modifies OpenSSH to support public key > in LDAP directory. Minimal ldap client, nss/pam_ldap and SSH keys in LDAP out-of-box is great! But it is disagree with trend to stirp-down base system :( --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 09:46:38 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF10E1065670 for ; Sat, 17 Sep 2011 09:46:38 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 73D038FC12 for ; Sat, 17 Sep 2011 09:46:38 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:f803:edca:622b:8392]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 840274AC32; Sat, 17 Sep 2011 13:46:37 +0400 (MSD) Date: Sat, 17 Sep 2011 13:46:26 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <1875031368.20110917134626@serebryakov.spb.ru> To: Jason Hellenthal In-Reply-To: <20110917052434.GA32989@DataIX.net> References: <86boukbk8s.fsf@ds4.des.no> <20110917051827.GA27245@DataIX.net> <20110917052434.GA32989@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: Brandon Gooch , =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 09:46:38 -0000 Hello, Jason. You wrote 17 =F1=E5=ED=F2=FF=E1=F0=FF 2011 =E3., 9:24:34: > security/pam_ldap A pam module for authenticating with LDAP It needs nss_ldap too for reasonnabel work, and in such case `net/nss-pam-ldapd' is better, as it two-in-one, may be with stripped out cache daemon. But all these ldap-related modules are strange in their desire to have config files like "ldap.conf" :) --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 12:46:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3A6F106566C for ; Sat, 17 Sep 2011 12:46:30 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 82C728FC16 for ; Sat, 17 Sep 2011 12:46:30 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1R4u2o-0006s8-Ov>; Sat, 17 Sep 2011 14:30:54 +0200 Received: from e178015066.adsl.alicedsl.de ([85.178.15.66] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1R4u2o-00050u-Kv>; Sat, 17 Sep 2011 14:30:54 +0200 Message-ID: <4E7492FE.2090506@zedat.fu-berlin.de> Date: Sat, 17 Sep 2011 14:30:54 +0200 From: "Hartmann, O." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.2) Gecko/20110916 Thunderbird/6.0.2 MIME-Version: 1.0 To: Mike Carlson References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> In-Reply-To: <4E73C163.9040601@llnl.gov> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Originating-IP: 85.178.15.66 Cc: freebsd-security@freebsd.org Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 12:46:30 -0000 On 09/16/11 23:36, Mike Carlson wrote: > On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote: >> We currently have a number of PAM modules in ports, and while some of >> them are specific to certain third-party software, many aren't. I >> believe we would benefit from importing at least some of these into >> base. My question is: which ones? >> >> DES > LDAP support out of the box would be fantastic. > > Mike C > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Also a strong vote for LDAP support. LDAP is our backend for several server systems and it is a kind of pain having to think first for the ports to be installed. Also I suspect and hope a better integration if LDAP gets part of the core system. Regards, Oliver From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 15:33:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 838B9106564A for ; Sat, 17 Sep 2011 15:33:07 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 455918FC0C for ; Sat, 17 Sep 2011 15:33:07 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 4C5111FFC35; Sat, 17 Sep 2011 15:33:06 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 022E684576; Sat, 17 Sep 2011 17:33:05 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jason Hellenthal References: <86boukbk8s.fsf@ds4.des.no> <20110917051827.GA27245@DataIX.net> <20110917052434.GA32989@DataIX.net> Date: Sat, 17 Sep 2011 17:33:05 +0200 In-Reply-To: <20110917052434.GA32989@DataIX.net> (Jason Hellenthal's message of "Sat, 17 Sep 2011 01:24:34 -0400") Message-ID: <864o0bb2vi.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Brandon Gooch , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 15:33:07 -0000 Jason Hellenthal writes: > security/pam_jail A PAM module dropping users in jails after login > security/pam_krb5 A Pluggable Authentication Module for Kerberos5 We already have that. > security/pam_ldap A pam module for authenticating with LDAP Not going to happen, since we don't have LDAP in base. > security/pam_mkhomedir Create HOME with a PAM module on demand > security/pam_p11 A PAM module using crypto tokens for auth authe= nticate against Unix PAM Requires a PKCS11 implementation in base. I never finished the one I started on... > security/pam_pwdfile A pam module for authenticating with flat passw= d files > security/pam_require A PAM module for restricting access based on un= ix group or username What does this do that pam_group doesn't? > security/pam_smb NetBIOS domain logon PAM module Apparently requires Perl to run, although this may be a bug in the port > security/pam_ssh_agent_auth PAM module which permits authentication via s= sh-agent > sysutils/pam_mount A PAM that can mount volumes for a user session That leaves us with the following candidates: - pam_jail - pam_mkhomedir - pam_mount - pam_pwdfile - pam_ssh_agent_auth and possibly also - pam_require - pam_smb Note that pam_mkhomedir and pam_mount can be implemented using pam_exec (possibly with some improvements) and scripts. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 14:14:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6225E1065675 for ; Sat, 17 Sep 2011 14:14:16 +0000 (UTC) (envelope-from fahad@dumbain.net) Received: from vms173009pub.verizon.net (vms173009pub.verizon.net [206.46.173.9]) by mx1.freebsd.org (Postfix) with ESMTP id 43DF48FC12 for ; Sat, 17 Sep 2011 14:14:16 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from [192.168.1.13] ([unknown] [173.60.57.149]) by vms173009.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LRO00FEA4RAHQA0@vms173009.mailsrvcs.net> for freebsd-security@freebsd.org; Sat, 17 Sep 2011 08:14:05 -0500 (CDT) Message-id: <4E749D14.4050201@dumbain.net> Date: Sat, 17 Sep 2011 06:13:56 -0700 From: Fahad Ahmad User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.1) Gecko/20110902 Thunderbird/6.0.1 To: freebsd-security@freebsd.org References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> In-reply-to: <4E7492FE.2090506@zedat.fu-berlin.de> X-Mailman-Approved-At: Sat, 17 Sep 2011 16:27:50 +0000 Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 14:14:16 -0000 Not everybody requires LDAP/PAM , so making it part of base is not a valid reason. Same can apply for any other 3rd party port (Apache,Samba,etc etc). On 09/17/2011 05:30 AM, Hartmann, O. wrote: > On 09/16/11 23:36, Mike Carlson wrote: >> On 09/16/2011 08:05 AM, Dag-Erling Smørgrav wrote: >>> We currently have a number of PAM modules in ports, and while some of >>> them are specific to certain third-party software, many aren't. I >>> believe we would benefit from importing at least some of these into >>> base. My question is: which ones? >>> >>> DES >> LDAP support out of the box would be fantastic. >> >> Mike C >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > Also a strong vote for LDAP support. LDAP is our backend for several > server systems and it is a kind of pain > having to think first for the ports to be installed. Also I suspect and > hope a better integration if LDAP gets > part of the core system. > > Regards, > Oliver > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 14:15:28 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02762106566B for ; Sat, 17 Sep 2011 14:15:28 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from fast.rit.edu (fast.rit.edu [129.21.182.30]) by mx1.freebsd.org (Postfix) with ESMTP id AA7EF8FC16 for ; Sat, 17 Sep 2011 14:15:27 +0000 (UTC) Received: from fast.rit.edu (localhost.rit.edu [127.0.0.1]) by fast.rit.edu (Postfix) with ESMTP id A8FEB1D141; Sat, 17 Sep 2011 09:53:43 -0400 (EDT) X-Virus-Scanned: by amavisd-new at fast.rit.edu Received: from fast.rit.edu ([127.0.0.1]) by fast.rit.edu (fast.rit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUypCETkoJ07; Sat, 17 Sep 2011 09:53:43 -0400 (EDT) Received: from syn.rit.edu (syn.rit.edu [129.21.182.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fast.rit.edu (Postfix) with ESMTPS id ED71A1D138; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) Received: from syn.rit.edu (localhost.rit.edu [127.0.0.1]) by syn.rit.edu (8.14.4/8.14.3) with ESMTP id p8HDrg7E009964; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) (envelope-from zi@FreeBSD.org) Received: (from zi@localhost) by syn.rit.edu (8.14.4/8.14.3/Submit) id p8HDrgDW008050; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) (envelope-from zi@FreeBSD.org) Date: Sat, 17 Sep 2011 09:53:42 -0400 From: Ryan Steinmetz To: "Hartmann, O." Message-ID: <20110917135341.GA23643@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E7492FE.2090506@zedat.fu-berlin.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Sat, 17 Sep 2011 16:38:19 +0000 Cc: freebsd-security@FreeBSD.org, Mike Carlson Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 14:15:28 -0000 On (09/17/11 14:30), Hartmann, O. wrote: > On 09/16/11 23:36, Mike Carlson wrote: > > On 09/16/2011 08:05 AM, Dag-Erling Sm??rgrav wrote: > >> We currently have a number of PAM modules in ports, and while some of > >> them are specific to certain third-party software, many aren't. I > >> believe we would benefit from importing at least some of these into > >> base. My question is: which ones? > >> > >> DES > > LDAP support out of the box would be fantastic. > > > > Mike C > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > Also a strong vote for LDAP support. LDAP is our backend for several > server systems and it is a kind of pain > having to think first for the ports to be installed. Also I suspect and > hope a better integration if LDAP gets > part of the core system. > > Regards, > Oliver > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think some caution should be used whenever we discuss merging things into the base system. There may be other ways of achieving the same functionality, without the challenges that come with merging things directly into the base system. Ports tend to be easier to update (in terms of version bumps/features additions) when compared to things that become part of base. I think an interesting concept would be something that gave us the ability to (easily) tie certain ports into software from the base system. Something that would allow the software to be more easily kept current. Perhaps this could be done via some sort of base-integrated ports category that require extra-special care/controls when being updated. Using the above idea, perhaps we could have ISOs or the like available that include these 'base-integrated' ports pre-installed, thus giving users the ability to (effectively) have an out-of-the-box solution that included LDAP support, etc., while still having these 'base-integrated' ports loosely coupled with the base OS. The concept could keep the base system lean, but provide the flexibility that users desire. Obviously there are some complexities associated with implementing the framework and details that would need to be worked out, but this could address: -The desire to keep the base system lean -The desire to provide certain features out-of-the-box -The ability to keep these 'base-integrated' ports more current in terms of features/functionality -r -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 20:55:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7613D106564A for ; Sat, 17 Sep 2011 20:55:39 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5A1368FC0C for ; Sat, 17 Sep 2011 20:55:39 +0000 (UTC) Received: from delta.delphij.net (c-76-102-50-245.hsd1.ca.comcast.net [76.102.50.245]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 1C8DB143CD; Sat, 17 Sep 2011 13:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316292939; bh=JDw6H7vXJMpVbQ8RwwLSbUHzDtIcO/Xe5BpHMLa0tFY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Y97Bgp2nBaCWT0aYblTr1fIFQlyA6oMOGMA7bAaRe51Bx5K4Soyi+bJX9bpul/oPd 6A/zJCZ67V/R1U6conrqq8YJaHZdgQQlhOQ0vD8jq9retElBltFRNuwmZrPXzaMGuj k1asbSxyt14b0Icy5YWuKea+fSHH3OdNpOYsnvBs= Message-ID: <4E75094A.8040902@delphij.net> Date: Sat, 17 Sep 2011 13:55:38 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> In-Reply-To: <20110917135341.GA23643@fast.rit.edu> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Chao Shin Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 20:55:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/17/11 06:53, Ryan Steinmetz wrote: [...] > I think some caution should be used whenever we discuss merging > things into the base system. There may be other ways of achieving > the same functionality, without the challenges that come with > merging things directly into the base system. Ports tend to be > easier to update (in terms of version bumps/features additions) > when compared to things that become part of base. > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base > system. Something that would allow the software to be more easily > kept current. Perhaps this could be done via some sort of > base-integrated ports category that require extra-special > care/controls when being updated. > > Using the above idea, perhaps we could have ISOs or the like > available that include these 'base-integrated' ports pre-installed, > thus giving users the ability to (effectively) have an > out-of-the-box solution that included LDAP support, etc., while > still having these 'base-integrated' ports loosely coupled with the > base OS. The concept could keep the base system lean, but provide > the flexibility that users desire. > > Obviously there are some complexities associated with implementing > the framework and details that would need to be worked out, but > this could address: -The desire to keep the base system lean -The > desire to provide certain features out-of-the-box -The ability to > keep these 'base-integrated' ports more current in terms of > features/functionality I've put a preliminary patchset at: http://people.freebsd.org/~delphij/misc/freebsd8.2-ldap.diff.xz For interested parties. That work was done to meet quakelee@'s company's needs (mostly done by him, I helped him with some minor things with my weekends) and the patch might needs some cleanup work (I've stripped down the unrelated part like bringing rsync, sudo to their base system but it's well possible rthat I've missed something or haven't removed some junk in this patchset -- ask me and/or quakelee@ if that's the case, their patched system works fine and I have everything in our git so let me know if that works). Speaking for having or not this by default for FreeBSD: It's not hard for us to make a customized distribution, and the patchset allows one to build a LDAP-free system, we have stripped down OpenLDAP to only do client side and the symbols have been renamed to avoid conflicts with port OpenLDAP. Personally I don't consider an Operating System that have no built-in LDAP support as a complete one and consider this: what happens when OpenLDAP's shared library version bumped (this is not rare) and your LDAP-linked sshd, pam models would do? "base-integrated" port -- I wouldn't object if that would ever happen but I bet it's a much bigger one than LDAP integration :) It may take me a day or two days to get our patchset cleaned up and updated to - -HEAD and latest OpenLDAP -stable and universe it, plus test on amd64, but implementing a shiny new framework is not something we (I and quakelee@) could do. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOdQlKAAoJEATO+BI/yjfB1YgIAJE4l+KOsTg+BPtWe3lJhLfF bTk7HlpeZOpTgTYFJ93E0+kIls4+iZN6LfwNaiDGEQXMA6Ot7utf2oa87uK+dSxv 9mjj/cUgkYOaN2wTOs15H2bTKbq/Fyh0eD2ewZ0cu9U9S+6earPK/n/VseQYa9M7 aXcOdcrVqKpTMb7+JiEDjiAzGYKgnwldoTFEnKaVoKay032gWPP5RJ1rMiZa8HXu p/1QrMgpumg8rS0Tk1qlpSljAOqG3T5/iEXgcIYvi6APbp/Wy9KGvLO68/xJodaf gxLKZ1Hx4xE+4vIou/5jV9XqP2XcIueH1WJFdyDx5tDEyGrpP3NIs2lObupQ36M= =oorR -----END PGP SIGNATURE-----