Date: Thu, 16 Jul 1998 14:05:43 -0700 (MST) From: "Chad R. Larson" <chad@freebie.dcfinc.com> To: pajarola@cybertime.ch (Rico Pajarola) Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Finger and getpwent Message-ID: <199807162105.OAA02417@freebie.dcfinc.com> In-Reply-To: <3.0.32.19980716145425.00726d20@www.dlc.cybertime.ch> from Rico Pajarola at "Jul 16, 98 02:57:16 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> I think something like this should go into /etc/login.conf. I already use > the nologin file (which can be set per login-class) to make ftp-only > accounts, and the ftpusers file to make email-only accounts. I like this > solution because it looks 'clean' to me, but it's by far not complete. And > the nicest login.conf doesn't help you if the programs you use don't look > at it (and afaik only login itself looks at it yet, guess why it's called > login.conf). > > Rico The model that make sense to me is the SysVr4 Service Access Controller (SAC). From a security standpoint, there were way too many different ways to get a "login" prompt from the system. The telnet daemon, the rlogin daemon, FTP, the regular login, the UUCP service, etc. So now there is only one process that issues "login", and every thing else goes through it. That gives a single point to install authentication and access control. The other band-aids grew up, in my opinion, as people who didn't have source to their systems tried to fix things up. We FreeBSDers have the facilities to implement a global solution similar to the SysVr4 one. -crl -- Chad R. Larson (CRL22) Brother, can you paradigm? 602-953-1392 chad@dcfinc.com chad@anasazi.com larson1@home.com DCF, Inc. - 14623 North 49th Place, Scottsdale, Arizona 85254 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807162105.OAA02417>