Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Nov 1998 20:20:41 -0800 (PST)
From:      John Polstra <jdp@polstra.com>
To:        "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Cc:        cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, Peter Wemm <peter@netplex.com.au>
Subject:   Re: cvs commit: src/usr.bin/login Makefile login.c
Message-ID:  <XFMail.981111202041.jdp@polstra.com>
In-Reply-To: <12368.910821917@zippy.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11-Nov-98 Jordan K. Hubbard wrote:

> Since you were doing all this for a client, I'm sure you also looked
> at all the security issues and points of vulnerability before adding
> PAM support - could you perhaps say a few words about this?  I only
> ask this specific pointed question because I have it on good authority
> that the Red Hat folks didn't do this initially and suffered a large
> number of security incidents traced to PAM in Red Hat 4.1 until they
> finally got things sorted out.  I don't know if it was a problem of
> their implementation or design (I suspect the former), but it does at
> least raise the reasonable question of security for us.

I looked in the Bugtraq archives, but what I found was fairly old and
didn't apply to the version I used.  Also, many of the problems were
specific to individual modules, and I didn't use any of the Linux
modules.  The native-style modules I wrote myself, such as the ones
for passwd, S/Key, and KerberosIV are simple wrappers around existing
library routines that we already have, so it was fairly easy to keep
from adding security problems with them.  For example, the KerberosIV
module just calls the klogin() code, which in the pre-PAM world is
linked directly into the login program.

If you or anyone else knows of specific reports I should check into,
by all means let me know.  But I do mean *specific*.  Anyone who just
has vague doubts based on ill-recalled rumors is kindly requested to
report them to his worry blanket rather than to me. :-)

John
---
  John Polstra                                               jdp@polstra.com
  John D. Polstra & Co., Inc.                        Seattle, Washington USA
  "Nobody ever went broke underestimating the taste of the American public."
                                                            -- H. L. Mencken

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.981111202041.jdp>