[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: pam_rhosts question



In case you haven't discovered by now, Yes, I have another objection to   
it.

The function of doing the conversation is the responsibility of the   
caller to the PAM modules. If you don't want to prompt the user for the   
values then make the rlogind program or whatever fail the conversation.

The modules, themselves, should obtain the data which they need to do the   
authentication. The only method by which a missing item may be obtained   
is to conduct a conversation.

Yes, you should leave the requests in the pam_rhosts file.

Yes, you should make rlogind have a conversation procedure which simply   
returns PAM_ERROR.

There is no inherent security problem; any more than someone writing an   
application and doing the pam_set_item function. If you permit an   
application to call pam_set_item to set the remote user or the remote   
host then you have the same problem as permitting a conversation to set   
them.

Don't forget that the pam.conf file should be secured for root write   
access only and that the pam modules secured against all but root write   
access as well. This means that a general user who may write a program is   
not going to get very far in attempting to gain authorities beyond the   
present capabilities.

 ----------
From:  Michael K. Johnson[SMTP:johnsonm@redhat.com]
Sent:  Wednesday, July 24, 1996 10:53 AM
To:  pam-list
Subject:  pam_rhosts question


While looking for a phantom bug in pam_rhosts, I found something that
bothers me a bit, and I'd like comment from the rest of the list.

Is it appropriate for pam_rhosts to interactively query for the remote
username and remote hostname?  Shouldn't it simply fail if the   
application
calling it doesn't set those items?  It's not an issue for applications
which are built to work with it, such as in.r*d, but when silly,   
uninformed
sysadmins just throw it in thinking "it's just another PAM module, no
problem" it presents a security hole by letting the user give what should
be independently-provided information -- kind of like the rlogin hole
with login -f of a few years back.

I'd like to propose that the rhosts module should simply fail if
either PAM_RUSER or PAM_RHOST is not set.

Any objections?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []