[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Question concerning PAM modules and root ...



On Thu, 28 May 1998, The Hermit Hacker wrote:

> Ack...just as a suggestion, but why not something like for ftpd, where you
> can have an ftpusers file that lists those that *can't* be authenticated
> "offline" can be listed?  something that says no matter what module you
> use, these users *must* be authenticatd against the local password file?

It sounds like you're asking for authentication controls to be built into
libpam itself, to protect people from pulling boneheaded maneuvers when
configuring their modules.  This... is wrong.  libpam's only job is to let
the modules and the applications find each other.  If it's a question of
how authentication should be done, you configure it in the pam config
file(s), and use the appropriate modules to do the job.  Since it's
entirely possible to secure against the situation you described /without/
having to unnecessarily complicate the interface, there's no reason for
it.  There are already modules out there (pam_listfile comes to mind)
which provide this functionality where it belongs.

Just my 2 cents. I don't speak for the pam authors, but I /would/ throw a
very large fit if something like this were to be put into the pam library.
:)

                          -Steve Langasek
-doink-



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []