Date: Fri, 23 May 2003 22:49:09 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: current@FreeBSD.org Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <20030523194909.GB11988@sunbay.com> In-Reply-To: <xzp1xypwiwa.fsf@flood.ping.uio.no> References: <20030522184631.A23366@bart.esiee.fr> <xzp65o2zkhf.fsf@flood.ping.uio.no> <20030522224850.GK87863@roark.gnf.org> <xzpof1uy28n.fsf@flood.ping.uio.no> <20030523060846.GC17107@sunbay.com> <xzp4r3mxjrx.fsf@flood.ping.uio.no> <20030523062848.GG17107@sunbay.com> <xzpr86pwx5m.fsf@flood.ping.uio.no> <20030523193724.GA9240@sunbay.com> <xzp1xypwiwa.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--XOIedfhf+7KOe/yw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 23, 2003 at 09:41:09PM +0200, Dag-Erling Smorgrav wrote: > Ruslan Ermilov <ru@FreeBSD.org> writes: > > Why pam_nologin in the "auth" chain of the "login" service is marked > > "required" and not "requisite", and why do we have the "required" at > > all? What's the point in continuing with the chain if we are going > > to return the failure anyway? What's the real application of > > "required" as compared to "requisite"? >=20 > Information leak. The applicant screwed up, but we don't want to let > him know that until he's jumped through all the *other* hoops as well; > otherwise he might learn something about our authentication setup from > the premature error message. >=20 Works for the generic case, but not for this particular example. Just run "shutdown -k now" locally, and watch how funny the login session looks. I don't think we're leaking something here. ;) Hm, or maybe this is just the problem with pam_nologin(8) not respecting the "no_warn" option? Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+zns1Ukv4P6juNwoRArxYAJ9GDcPyZXkzcBFLNBaejjfb2dSUeQCfZb1v DQuDx2qzcNXe99Fxj4q0ePY= =E7Fu -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030523194909.GB11988>