From owner-cvs-all Tue Mar 7 8:34: 3 2000 Delivered-To: cvs-all@freebsd.org Received: from guard.polynet.lviv.ua (Guard.PolyNet.Lviv.UA [209.58.62.194]) by hub.freebsd.org (Postfix) with SMTP id 3486C37BBE5 for ; Tue, 7 Mar 2000 08:33:37 -0800 (PST) (envelope-from pam@postoffice.polynet.lviv.ua) Received: (qmail 67037 invoked from network); 7 Mar 2000 16:33:30 -0000 Received: from unknown (HELO postoffice.polynet.lviv.ua) (unknown) by unknown with SMTP; 7 Mar 2000 16:33:30 -0000 Received: (qmail 87130 invoked by uid 1001); 7 Mar 2000 16:33:29 -0000 Date: 7 Mar 2000 18:33:29 +0200 Date: Tue, 7 Mar 2000 18:33:29 +0200 From: Adrian Pavlykevych To: Peter Wemm Cc: "Andrew J. Korty" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_ssh Makefile Message-ID: <20000307183329.A86723@polynet.lviv.ua> References: <20000307031141.39FAD1CDE@overcee.netplex.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000307031141.39FAD1CDE@overcee.netplex.com.au>; from peter@netplex.com.au on Tue, Mar 07, 2000 at 11:11:41AM +0800 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Mar 07, 2000 at 11:11:41AM +0800, Peter Wemm wrote: > "Andrew J. Korty" wrote: > > > > The login program doesn't use the PAM session layer, probably > > because there is no underlying program running during the session > > as there is with XDM, so there would be no way to close the PAM > > session. > > Linux's login program does "hang around" to implement the session stuff. I'm > not sure of the details. > > BTW; I suspect there isn't much to stop us making a liblogin (or move the > login stuff to libutil) and build calls to it directly into telnetd, > rlogind, rshd, getty, sshd, etc. We could implement persistant supervisors > that way. (getty would have to hang around though instead of exec'ing a > login, but that's no big deal these days considering the majority of > machines that have lots of logins use telnetd/sshd/xwindows instead of > physical ttys) I think that it is an excellent idea, current level of PAM support seems more like declaration of will, then the real support. I think that login_cap* functions, as well as password expiration checks should be moved to separate PAM modules as well. Login program should be as simple as possible, the rest should be done inside PAM infrastructure. Unless we are dealing with some sort of pre-authentication, like Kerberos ticket or ssh RSAAuthentication, all the rest should be offloaded from programs/servers to PAM. The question is only if this is a feasible task, or not. Regards, > Cheers, > -Peter > -- Adrian Pavlykevych email: System Administrator phone/fax: +380 (322) 742041 State University "Lvivska Polytechnica" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message