Date: Wed, 06 Mar 2002 19:12:05 -0500 From: "Brian F. Feldman" <green@FreeBSD.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules modules.inc src/lib/libpam/modules/pam_alreadyloggedin Makefile pam_alreadyloggedin.8 pam_alreadyloggedin.c Message-ID: <200203070012.g270C5m43660@green.bikeshed.org> In-Reply-To: Your message of "07 Mar 2002 00:44:51 %2B0100." <xzp66496z2k.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav <des@ofug.org> wrote: > "Brian F. Feldman" <green@FreeBSD.org> writes: > > Robert took a look at it, and other people agreed it was a generally > > interesting module to have. Add to that that it's small, not turned on > > unless you do it yourself, and doesn't break the build, and I don't see what > > the problem is adding a new PAM module. > > You know that I am working on PAM, yet it did not occur to you to even > ask me if I had thought of something like this, or if I had any plans > to implement something like this. Even assuming that I think > pam_alreadyloggedin is a good idea (which I don't), it did not even > occur to you that I might possibly object to the name of the module > (which I do), or the way it was implemented (which I do), or the code > style (which I do). It did not even occur to you that less than 24 > hours after I completely replaced libpam with new and relatively > untested code might not be the ideal time to commit a new module. No, it absolutely didn't. Whether it's a good idea or not is up to anyone that decides if they want to use it. If you object to the name, want to suggest another? What in the world do you mean by "the way it was implemented", and how is the code style any different from KNF? I had also tested the module initially on old-PAM and then on OpenPAM and it worked just fine in both cases for the scenarios I could come up with. Now other people can test it if they want to. It in no way affects anyone's life with PAM unless they decide to go out of their way and try it out. Personally, I use it on my laptop with "no_root restrict_tty=ttyv*", in my /etc/pam.d/login, since I rather like not having to type in my SSH key's passphrase all day now. > I don't really mind having the module in the tree, even though I think > it's a spectacularly bad idea from a security standpoint, but I do > mind its name and about half of its implementation (measured in loc), > so you might as well back it out. Do you mind actually suggesting what's supposed to be so bad about "half of its implementation"? Also, please explain how it's any worse from a security standpoint to have this ability than it is to, say, default to the console being a "secure" tty so not requiring a root password, or anything else in the system. It's not going to decrease the security of a system, because anyone who is going to use it knows what it does already and knows in what ways it would "compromise" a system. *grumbles something about everyone wanting to take things as an affront in all situations nowadays* -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org <> bfeldman@tislabs.com \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203070012.g270C5m43660>