Date: Wed, 4 Sep 2013 13:07:01 +0400 From: Lev Serebryakov <lev@FreeBSD.org> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru> Subject: Re: OpenSSH, PAM and kerberos Message-ID: <141305885.20130904130701@serebryakov.spb.ru> In-Reply-To: <867gext445.fsf@nine.des.no> References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no> <1601348478.20130903182152@serebryakov.spb.ru> <86fvtludku.fsf@nine.des.no> <1289783626.20130904002038@serebryakov.spb.ru> <867gext445.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Dag-Erling. You wrote 4 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., = 11:53:14: DES> Lev Serebryakov <lev@FreeBSD.org> writes: >> Accept input from hostile user is huge security issue per se? Ouch. In >> modern world there are only hostile users. Yes, all our software has >> huge security issue, I know that :) DES> Please look up "privilege separation" on Wikipedia so you have at least DES> *some* idea of what we're talking about. I have *some* idea what "privilege separation" is, thank you. >> As far as I understand, PAM is not 40-years-old getpwnam() API. It is >> (relative) modern API to replace getpwnam(), with support of modern >> identity databases in mind. DES> No, PAM does not replace getpwnam(). PAM does not handle identity at DES> all. NSS handles identity with the old getpwnam() API. Ouch. Why didn't you see, that it was quotation from your message? I know, that PAM is not exact replacement for getpwnam(), as it only "check password" (please, don't point me out, that it could do more than "check password", I know, and I use quotes here to point at fact that it some simplification), but I thought, that you use this concrete function call as meta-name for all old AAA/identity API from POSIX, and I accept it. DES> I'm not going to answer the rest - it is so full of misconceptions, DES> fallacies and incorrect assumptions that I simply don't have the DES> energy. BTW, you wrote in other message: DES> I am *not* proposing to move PAM into a daemon. I am proposing DES> something completely new. I thought I made that clear. No, you didn't make it clear. All your previous messages left impression, that you propose to move PAM API to separate daemon with somewhat simplier API, accessible via socket. Do you have any notes, draft, whatever, about what you propose exactly, more specific than "we need AAA/identity daemon instead of all old APIs"? --=20 // Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?141305885.20130904130701>