Date: Sat, 08 Jan 2000 12:42:58 -0800 From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: freebsd-current@freebsd.org Subject: Re: PAM'ized su(1) Message-ID: <3.0.5.32.20000108124258.0093bb90@localhost> In-Reply-To: <200001081932.OAA52181@khavrinen.lcs.mit.edu> References: <3.0.5.32.20000108112936.0095f440@localhost> <3.0.5.32.20000108112936.0095f440@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:32 PM 1/8/00 -0500, Garrett wrote: ><<On Sat, 08 Jan 2000 11:29:36 -0800, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> said: > >> I've noticed that su(1) is not yet PAM'ized. Is anybody >> working on this? If so, I'm willing to test. If not >> and time permits, I'll see if I can whip up an appropriate >> patch. > >If you do this, please take care not to break WHEELSU (and its >Kerberos equivalent), which has its fingers everywhere. I would suggest: If NO_PAM, the behavior would be simple, traditional BSD behavior with very few optional features (such as WHEELSU). If PAM, then Kerberos and Skey support would be provided via appropriate PAM modules. This means that auth.conf can go away. WHEELSU can (and should) be provided by pam_wheel. So, the very first thing I would do to PAM'ize su.c would be to: mv su.c su.c.orig unifdef -UKERBEROS -USKEY < su.c.orig > su.c Then I would add in PAM calls behind #ifndef NO_PAM. Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20000108124258.0093bb90>