From owner-freebsd-arch  Mon May 28 17:47:36 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-122.dsl.lsan03.pacbell.net [63.207.60.122])
	by hub.freebsd.org (Postfix) with ESMTP id D0C4137B424
	for <arch@FreeBSD.ORG>; Mon, 28 May 2001 17:47:32 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 9AC2C675B2; Mon, 28 May 2001 17:47:31 -0700 (PDT)
Date: Mon, 28 May 2001 17:47:29 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Peter Jeremy <peter.jeremy@alcatel.com.au>
Cc: Mark Murray <mark@grondar.za>, arch@FreeBSD.ORG
Subject: Re: PAM, S/Key and authentication schemes.
Message-ID: <20010528174728.A39588@xor.obsecurity.org>
References: <200105251240.f4PCeO612402@gratis.grondar.za> <20010528121804.Q89950@gsmx07.alcatel.com.au>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010528121804.Q89950@gsmx07.alcatel.com.au>; from peter.jeremy@alcatel.com.au on Mon, May 28, 2001 at 12:18:05PM +1000
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG


--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 28, 2001 at 12:18:05PM +1000, Peter Jeremy wrote:
> On 2001-May-25 14:42:40 +0200, Mark Murray <mark@grondar.za> wrote:
> >I'd like to properly PAM-ize the things that need it, and simplify
> >where possible and where appropriate. In most cases, this means
> >gutting out the convoluted logic if favour of pam _only_.
>=20
> Sounds good.
>=20
> The only danger area I can see is the need to check root password to
> get to single-user if the console is not secure.  This needs to work
> even if (and especially when) the system is hosed.  I wouldn't like to
> see init become dependent on the dynamic loader and various PAM
> libraries in this case.

We also compile all of the PAM modules included in the base system
into a static libpam which allows statically-linked binaries to work,
up to a point (they won't work if the system administrator tries to
use a third-party PAM module)

Kris

--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7EvGfWry0BWjoQKURAlXgAKCWwtp7fejPKr9Fo3oO9UeMQ5AxXQCg6pkb
xXLilEj7eGZJ9RkLmfyrMG0=
=qs4k
-----END PGP SIGNATURE-----

--WIyZ46R2i8wDzkSu--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message