From owner-freebsd-security  Tue Dec 15 07:59:20 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA11529
          for freebsd-security-outgoing; Tue, 15 Dec 1998 07:59:20 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA11524
          for <freebsd-security@FreeBSD.ORG>; Tue, 15 Dec 1998 07:59:12 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA19239;
	Tue, 15 Dec 1998 10:57:08 -0500 (EST)
Date: Tue, 15 Dec 1998 10:57:08 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
cc: Frank Tobin <ftobin@bigfoot.com>,
        FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG>
Subject: Re: Limiting which users can login via xdm 
In-Reply-To: <199812131526.HAA07450@cwsys.cwsent.com>
Message-ID: <Pine.BSF.3.96.981215105331.19184B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Once PAM is in place, it provides a good checking point for the validity
of certain types of behavior--such as logging in within the time bounds.
PAM's account stage allows for multiple modules to check authorization.
Presumably a login.conf module could be assembled that verified the user
fell within the various bounds listed for their class in /etc/login.conf.

Presumably, xdm would have to support PAM, and describe the terminal being
logged into in some xdm-specific way (possibly xdm0...) for each user
attached to the xdm, as well as providing the remotehost information to
PAM.  Presumably to do this properly, all address information should be
passed around in the form of IP addresses, not host names--I'm not sure
how the existing PAM stuff handles this.

On Sun, 13 Dec 1998, Cy Schubert - ITSD Open Systems Group wrote:

> In message <Pine.BSF.4.05.9812112340570.3250-100000@isr3277.urh.uiuc.edu
> >, Fran
> k Tobin writes:
> > I was wondering if there was a way to limit access to xdm according to
> > users.  A major reason I'd like to be able to do this is that it could
> > ensure that I could keep track of logins to xdm that are done remotely.
> > Can one get xdm to use login(1), and consequently, check access via
> > /etc/login.access?
> 
> Xdm's Xsession script could be modified to limit who has access to xdm. 
>  Xdm sets the USER and LOGNAME environment variables, which could be 
> used to verify the user's identity.  Alternatively you could get the 
> user's identity from id or whoami.
> 
> 
> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
> ITSD                                   Cy.Schubert@gems8.gov.bc.ca
> Government of BC            
> 
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message