From owner-freebsd-current@FreeBSD.ORG Fri May 23 12:49:18 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 550A437B401 for ; Fri, 23 May 2003 12:49:18 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30BC843FB1 for ; Fri, 23 May 2003 12:49:13 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h4NJn9Ed013004 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 May 2003 22:49:09 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h4NJn9Dj013003; Fri, 23 May 2003 22:49:09 +0300 (EEST) (envelope-from ru) Date: Fri, 23 May 2003 22:49:09 +0300 From: Ruslan Ermilov To: Dag-Erling Smorgrav Message-ID: <20030523194909.GB11988@sunbay.com> References: <20030522184631.A23366@bart.esiee.fr> <20030522224850.GK87863@roark.gnf.org> <20030523060846.GC17107@sunbay.com> <20030523062848.GG17107@sunbay.com> <20030523193724.GA9240@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: current@FreeBSD.org Subject: Re: 5.1 beta2 still in trouble with pam_ldap X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2003 19:49:18 -0000 --XOIedfhf+7KOe/yw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 23, 2003 at 09:41:09PM +0200, Dag-Erling Smorgrav wrote: > Ruslan Ermilov writes: > > Why pam_nologin in the "auth" chain of the "login" service is marked > > "required" and not "requisite", and why do we have the "required" at > > all? What's the point in continuing with the chain if we are going > > to return the failure anyway? What's the real application of > > "required" as compared to "requisite"? >=20 > Information leak. The applicant screwed up, but we don't want to let > him know that until he's jumped through all the *other* hoops as well; > otherwise he might learn something about our authentication setup from > the premature error message. >=20 Works for the generic case, but not for this particular example. Just run "shutdown -k now" locally, and watch how funny the login session looks. I don't think we're leaking something here. ;) Hm, or maybe this is just the problem with pam_nologin(8) not respecting the "no_warn" option? Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+zns1Ukv4P6juNwoRArxYAJ9GDcPyZXkzcBFLNBaejjfb2dSUeQCfZb1v DQuDx2qzcNXe99Fxj4q0ePY= =E7Fu -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw--