From owner-cvs-all  Sat Feb 15 15:46:33 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5862C37B405; Sat, 15 Feb 2003 15:46:30 -0800 (PST)
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A523343FB1; Sat, 15 Feb 2003 15:46:29 -0800 (PST)
	(envelope-from des@ofug.org)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id A5A47536E; Sun, 16 Feb 2003 00:46:27 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess
 pam_opieaccess.c
From: Dag-Erling Smorgrav <des@ofug.org>
Date: Sun, 16 Feb 2003 00:46:27 +0100
In-Reply-To: <20030215233943.GC72156@nagual.pp.ru> ("Andrey A. Chernov"'s
 message of "Sun, 16 Feb 2003 02:39:43 +0300")
Message-ID: <xzpof5dm7jg.fsf@flood.ping.uio.no>
User-Agent: Gnus/5.090014 (Oort Gnus v0.14) Emacs/21.2 (i386--freebsd)
References: <200302152326.h1FNQnAr027546@repoman.freebsd.org>
	<20030215233943.GC72156@nagual.pp.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> There is no needs to explicately allow localhost in /etc/opieaccess. It is
> already works by default, as designed, see OPIE code.

It does not work by default; pam_opieaccess previously had special-
case code to handle this (by explicitly allowing non-OPIE logins when
PAM_RHOST was NULL).  This behaviour was very surprising to people who
wanted to prevent OPIE users from using their passwords even locally,
as they had no way of knowing that login(1) happened to set PAM_RHOST
to NULL for local logins.

>                                                       Your this and 
> /etc/opieaccess changes breaks POLA.

How?  They preserve historical behaviour while allowing admins to
implement a stricter policy, should they wish to do so.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message