Date: Fri, 19 Jan 2001 20:39:39 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: "David J. MacKenzie" <djm@web.us.uu.net> Cc: markm@FreeBSD.org, jdp@FreeBSD.org, nectar@FreeBSD.org, rwatson@FreeBSD.org, audit@FreeBSD.org Subject: Re: login_access() Message-ID: <20010119203939.C17925@citusc17.usc.edu> In-Reply-To: <20010120042353.C4E1912686@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 11:23:53PM -0500 References: <20010120042353.C4E1912686@jenkins.web.us.uu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--2/5bycvrmDh4d1IB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Moving to -audit, which is more on-topic for discussion of security-related code patches] On Fri, Jan 19, 2001 at 11:23:53PM -0500, David J. MacKenzie wrote: > > This sounds like a good way to proceed (well, PAM module first, then > > removal/deprecation). Are you able to submit code to do the former? >=20 > It's been done back in 1997, actually. Linux-PAM comes with a > pam_access module that is a pamified version of that login_access() > function. FreeBSD (-stable) comes with Linux-PAM 0.66, apparently > from 1998. Recent versions (0.72) come with several modules > not included in FreeBSD (-stable), including pam_access. Oh, cool. That sounds like the way to go, then. Some historical background you may not have: we're using an old and cut-down version of PAM because it was audited by John Polstra as part of a commercial contract (and indeed, we haven't had any security problems with the code, that I know of - although this could admittedly just be because it hasn't received enough attention). On the one hand, we need to finish integrating PAM into the system - on the other hand any kind of non-trivial changes to authorization and authentication schemes worry me because of the potential to introduce security holes. If we can find someone PAM-knowledgeable to work with you to carefully review any changes (several candidates are CC'ed on this message), I'd be eager to sponsor you for a commit bit so you can work on this directly. Kris --=20 Note: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --2/5bycvrmDh4d1IB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6aRaLWry0BWjoQKURAoNCAKCSpVAFcRZtoFeR7ZJ1rQ7/AFPd8QCg/dEA gUEIfeA8/n/1PzQq8m2Ip0I= =hG9w -----END PGP SIGNATURE----- --2/5bycvrmDh4d1IB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010119203939.C17925>