From owner-freebsd-stable  Thu Jul 16 14:06:06 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA13943
          for freebsd-stable-outgoing; Thu, 16 Jul 1998 14:06:06 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from freebie.dcfinc.com (freebie.dcfinc.com [138.113.5.128])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA13916
          for <freebsd-stable@freebsd.org>; Thu, 16 Jul 1998 14:06:03 -0700 (PDT)
          (envelope-from chad@freebie.dcfinc.com)
Received: (from chad@localhost) by freebie.dcfinc.com (8.8.7/8.8.3a) id OAA02417; Thu, 16 Jul 1998 14:05:44 -0700 (MST)
From: "Chad R. Larson" <chad@freebie.dcfinc.com>
Message-Id: <199807162105.OAA02417@freebie.dcfinc.com>
Subject: Re: Finger and getpwent
To: pajarola@cybertime.ch (Rico Pajarola)
Date: Thu, 16 Jul 1998 14:05:43 -0700 (MST)
Cc: freebsd-stable@FreeBSD.ORG
In-Reply-To: <3.0.32.19980716145425.00726d20@www.dlc.cybertime.ch> from Rico Pajarola at "Jul 16, 98 02:57:16 pm"
Reply-to: chad@dcfinc.com
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> I think something like this should go into /etc/login.conf. I already use
> the nologin file (which can be set per login-class) to make ftp-only
> accounts, and the ftpusers file to make email-only accounts. I like this
> solution because it looks 'clean' to me, but it's by far not complete. And
> the nicest login.conf doesn't help you if the programs you use don't look
> at it (and afaik only login itself looks at it yet, guess why it's called
> login.conf).
> 
> Rico

The model that make sense to me is the SysVr4 Service Access Controller
(SAC).  From a security standpoint, there were way too many different
ways to get a "login" prompt from the system.  The telnet daemon, the
rlogin daemon, FTP, the regular login, the UUCP service, etc.  So now
there is only one process that issues "login", and every thing else goes
through it.  That gives a single point to install authentication and
access control.

The other band-aids grew up, in my opinion, as people who didn't have
source to their systems tried to fix things up.  We FreeBSDers have the
facilities to implement a global solution similar to the SysVr4 one.

	-crl
--
Chad R. Larson (CRL22)                 Brother, can you paradigm?
602-953-1392  chad@dcfinc.com  chad@anasazi.com  larson1@home.com
DCF, Inc.  -  14623 North 49th Place,  Scottsdale, Arizona  85254

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message