[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Su doesn't work with pam-0.56



Han Holl:
> And here again the communication with the user is confusing as well:
> su: password incorrect
> is misleading, because it's so specific.
> su: permission denied
> would be an improvement.
> su: only members of 'wheel'group can su to root
> would be just great.

This reminds me of some of the "fun" I've had diagnosing
authentication problems on high security systems.

While some people will argue that knowing what security mechanism you
tripped up against should itself be privileged information, it's also
true that to have good security you need to audit the security
mechanisms.

It's too easy, in a deployed system, to disable some critical piece of
security under the mistaken idea that it's preventing users from
accessing the system.

[I've not looked at pam to see if it will give a trace of which
mechanisms are being checked against, with success/fail.  Presumably
it's in there -- if not, here's a red flag.]

-- 
Raul



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []