Date: Fri, 23 May 2003 21:41:09 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: current@FreeBSD.org Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <xzp1xypwiwa.fsf@flood.ping.uio.no> In-Reply-To: <20030523193724.GA9240@sunbay.com> (Ruslan Ermilov's message of "Fri, 23 May 2003 22:37:24 %2B0300") References: <20030522184631.A23366@bart.esiee.fr> <xzp65o2zkhf.fsf@flood.ping.uio.no> <20030522224850.GK87863@roark.gnf.org> <xzpof1uy28n.fsf@flood.ping.uio.no> <20030523060846.GC17107@sunbay.com> <xzp4r3mxjrx.fsf@flood.ping.uio.no> <20030523062848.GG17107@sunbay.com> <xzpr86pwx5m.fsf@flood.ping.uio.no> <20030523193724.GA9240@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov <ru@FreeBSD.org> writes: > Why pam_nologin in the "auth" chain of the "login" service is marked > "required" and not "requisite", and why do we have the "required" at > all? What's the point in continuing with the chain if we are going > to return the failure anyway? What's the real application of > "required" as compared to "requisite"? Information leak. The applicant screwed up, but we don't want to let him know that until he's jumped through all the *other* hoops as well; otherwise he might learn something about our authentication setup from the premature error message. DES -- Dag-Erling Smorgrav - des@ofug.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp1xypwiwa.fsf>