Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Feb 2000 18:15:43 -0800
From:      Alfred Perlstein <bright@wintelcom.net>
To:        current@FreeBSD.org
Cc:        Mark Murray <mark@grondar.za>, committers@FreeBSD.org
Subject:   Re: Crypto progress! (And a Biiiig TODO list)
Message-ID:  <20000217181543.G21720@fw.wintelcom.net>
In-Reply-To: <200002180127.UAA83711@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Feb 17, 2000 at 08:27:23PM -0500
References:  <200002172130.XAA23664@gratis.grondar.za> <200002180127.UAA83711@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Garrett Wollman <wollman@khavrinen.lcs.mit.edu> [000217 17:55] wrote:
> <<On Thu, 17 Feb 2000 23:30:31 +0200, Mark Murray <mark@grondar.za> said:
> 
> > o I want to completely dekerberise userland, and only have kerberos
> >   via PAMs. A ton of work, and I have just started with this.
> 
> Huh?  PAM is Pluggable Authentication Modules, not Pluggable Protocol
> Modules....  It's unlikely that `rlogin' (for example) could be made
> to work this way.  (Of course, Kerberized `rlogin' is currently broken
> already, and has been for months, so perhaps I'm the only person left
> who cares.)
> 
> > o A daemon that userland can query for password checking; this is to
> >   get around the current requirement that things that need master.passwd
> >   access need to be suid root. It works, but needs tidying up, review
> >   and a PAM to query it. Not far to go!
> 
> I'm very uncomfortable with requiring Yet Another Daemon to manage
> (and screw up) password checking.  Generally speaking, if I wouldn't
> trust a program with root privileges, I wouldn't trust it with my
> password, either (for obvious reasons).

Yes, but the benifits of a correct implementation are quite awesome,
a centralized logging place to dole out authentication and potentially
administratively shutdown/lockout accounts if a brute force attempt (or
other abuse) is detected.

-Alfred


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000217181543.G21720>