Date: Thu, 24 Jan 2002 19:43:27 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Dag-Erling Smorgrav <des@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c Message-ID: <Pine.NEB.3.96L.1020124194101.67438F-100000@fledge.watson.org> In-Reply-To: <20020125003730.GB89126@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Jan 2002, Andrey A. Chernov wrote:
> > "safe". For example, are there any potential negative effects if I break
> > into your upstream nameserver (at an ISP, say), and cause localhost to
> > resolve to my address, and likewise reverse lookup? Does opieaccess()
> > actually convert localhost to 127.0.0.1, or does it rely on the resolver
> > library? Will localhost actually resolve to 127.0.0.1, or might it
> > resolve purely to ::1 on an IPv6-only system?
>
> OPIE relies on resolver. Since localhost is always in /etc/hosts, you
> can't mimic it using upstream name server. OPIE currently not support
> IPv6, but I remember I see patch recently planned to be commited to fix
> this.
localhost is frequently in /etc/hosts, and hosts is often the first item
in /etc/{nsswitch.conf,host.conf}. However, it still seems to me that
this is an unfortunate design choice. While I'm not all that familiar
with the PAM spec, it strikes me that I'd much rather have the notion of
'local' be defined without putting the resolver in the path. Are there
any other primitives than PAM_RHOST that could be used to specify the
login source?
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020124194101.67438F-100000>