[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Alex, help with login? (Was: PAMified login?)

Elliot Lee:
> Let me just say that I really like the way linux does it...  The idea of
> someone being able to change my gecos to 'Sex Slave' when I'm away from
> the keyboard is kind of crazy ;-) 

Not that it is really PAM-related, but if someone has access to your
account while you're away from the keyboard, you're screwed anyway.
Changing your gecos will be the least of your problems :-).

NIS is a different story - yppasswdd needs the password to change
anything.  It is understandable, it can't trust the remote user
over the network.  That's why ypchfn/ypchsh prompt for password.
But chfn/chsh can change only *local* user information.

> In a sense, password authentication should be required for anything that
> involves a specific user.  </$0.02>

Like sending mail, or editing the user's files such as .profile
or (flawed to begin with but many people do it anyway) .rhosts?

I can see the need to protect passwd (if someone changes your
password, you can't log in back and fix it), or your PGP secret
key (using a passphrase) this way, but for just about anything
else - that's what programs like xlock are for...

[ Back to PAM. ]

Any ideas how should we deal with changing NIS passwords in
the pam_unix module?  NIS makes no visible difference as far
as authentication is concerned (just use getpwnam() as usual)
but we need some way to distinguish local and NIS passwords
when changing them.  Is it OK to just assume that if it's not
in the local passwd file, it must be a NIS password?

Solaris 2.5 supports "passwd -r files|nis|nisplus", so it is
possible to specify where to change the password, but how do
we pass that -r option argument to pam_sm_chauthtok()?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []