* Garrett Wollman <[EMAIL PROTECTED]> [000217 17:55] wrote:
> <<On Thu, 17 Feb 2000 23:30:31 +0200, Mark Murray <[EMAIL PROTECTED]> said:
>
> > o I want to completely dekerberise userland, and only have kerberos
> > via PAMs. A ton of work, and I have just started with this.
>
> Huh? PAM is Pluggable Authentication Modules, not Pluggable Protocol
> Modules.... It's unlikely that `rlogin' (for example) could be made
> to work this way. (Of course, Kerberized `rlogin' is currently broken
> already, and has been for months, so perhaps I'm the only person left
> who cares.)
>
> > o A daemon that userland can query for password checking; this is to
> > get around the current requirement that things that need master.passwd
> > access need to be suid root. It works, but needs tidying up, review
> > and a PAM to query it. Not far to go!
>
> I'm very uncomfortable with requiring Yet Another Daemon to manage
> (and screw up) password checking. Generally speaking, if I wouldn't
> trust a program with root privileges, I wouldn't trust it with my
> password, either (for obvious reasons).
Yes, but the benifits of a correct implementation are quite awesome,
a centralized logging place to dole out authentication and potentially
administratively shutdown/lockout accounts if a brute force attempt (or
other abuse) is detected.
-Alfred
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
