From owner-freebsd-security Sat Oct 23 1:31:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a13b146.neo.rr.com [204.210.197.146]) by hub.freebsd.org (Postfix) with ESMTP id B298114C1F for ; Sat, 23 Oct 1999 01:31:47 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id EAA18382; Sat, 23 Oct 1999 04:31:28 -0400 Date: Sat, 23 Oct 1999 04:31:28 -0400 (EDT) From: Mike Nowlin To: Robert Watson Cc: security@FreeBSD.ORG Subject: Re: Kerberos integration into ports--in particular, SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It looks like many ports still don't use PAM for authentication. This is > not something I have time to address, it's just a comment that it would be > nice if now that we have PAM, things used PAM :-). Also, it's a little > funky to have an /etc/auth.conf and a /etc/pam.conf -- auth.conf seems > only to affect su? It seems that a lot of the system still doesn't use PAM for auth... A quick grep of ftpd (a recent pamifying project) returns: twikki:/usr/src/libexec/ftpd$ grep -i pam * Makefile:.PATH: ${.CURDIR}/../../lib/libpam/modules/pam_kerberosIV We developed some changes to ftpd to support PAM (haven't submitted them yet -- a couple of quirks to work out), but I'm sure a lot of the system doesn't handle it yet. Is there a doc somewhere which gets into this, or does one need to be written? We're trying to handle security through a PAM/(PostgreSQL|MySQL) interface as much as possible, so we're willing to do a bit of fixing if necessary. --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message