From owner-cvs-all  Thu Jan 24 16:43:51 2002
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 019FF37B400; Thu, 24 Jan 2002 16:43:46 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0P0hSD67930;
	Thu, 24 Jan 2002 19:43:28 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 24 Jan 2002 19:43:27 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Dag-Erling Smorgrav <des@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c
In-Reply-To: <20020125003730.GB89126@nagual.pp.ru>
Message-ID: <Pine.NEB.3.96L.1020124194101.67438F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Fri, 25 Jan 2002, Andrey A. Chernov wrote:

> > "safe".  For example, are there any potential negative effects if I break
> > into your upstream nameserver (at an ISP, say), and cause localhost to
> > resolve to my address, and likewise reverse lookup?  Does opieaccess()
> > actually convert localhost to 127.0.0.1, or does it rely on the resolver
> > library?  Will localhost actually resolve to 127.0.0.1, or might it
> > resolve purely to ::1 on an IPv6-only system?
> 
> OPIE relies on resolver. Since localhost is always in /etc/hosts, you
> can't mimic it using upstream name server. OPIE currently not support
> IPv6, but I remember I see patch recently planned to be commited to fix
> this. 

localhost is frequently in /etc/hosts, and hosts is often the first item
in /etc/{nsswitch.conf,host.conf}.  However, it still seems to me that
this is an unfortunate design choice.  While I'm not all that familiar
with the PAM spec, it strikes me that I'd much rather have the notion of
'local' be defined without putting the resolver in the path.  Are there
any other primitives than PAM_RHOST that could be used to specify the
login source?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message