From owner-freebsd-current Sat Jan 8 12:44:29 2000 Delivered-To: freebsd-current@freebsd.org Received: from cantor.boolean.net (cantor.boolean.net [209.133.111.73]) by hub.freebsd.org (Postfix) with ESMTP id 0406014FAC for ; Sat, 8 Jan 2000 12:44:18 -0800 (PST) (envelope-from Kurt@OpenLDAP.Org) Received: from gypsy (localhost [127.0.0.1]) by cantor.boolean.net (8.9.3/8.9.3) with SMTP id UAA46052; Sat, 8 Jan 2000 20:44:06 GMT (envelope-from Kurt@OpenLDAP.Org) Message-Id: <3.0.5.32.20000108124258.0093bb90@localhost> X-Sender: kurt@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 08 Jan 2000 12:42:58 -0800 To: Garrett Wollman From: "Kurt D. Zeilenga" Subject: Re: PAM'ized su(1) Cc: freebsd-current@freebsd.org In-Reply-To: <200001081932.OAA52181@khavrinen.lcs.mit.edu> References: <3.0.5.32.20000108112936.0095f440@localhost> <3.0.5.32.20000108112936.0095f440@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 02:32 PM 1/8/00 -0500, Garrett wrote: >< said: > >> I've noticed that su(1) is not yet PAM'ized. Is anybody >> working on this? If so, I'm willing to test. If not >> and time permits, I'll see if I can whip up an appropriate >> patch. > >If you do this, please take care not to break WHEELSU (and its >Kerberos equivalent), which has its fingers everywhere. I would suggest: If NO_PAM, the behavior would be simple, traditional BSD behavior with very few optional features (such as WHEELSU). If PAM, then Kerberos and Skey support would be provided via appropriate PAM modules. This means that auth.conf can go away. WHEELSU can (and should) be provided by pam_wheel. So, the very first thing I would do to PAM'ize su.c would be to: mv su.c su.c.orig unifdef -UKERBEROS -USKEY < su.c.orig > su.c Then I would add in PAM calls behind #ifndef NO_PAM. Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message