Date: Sun, 16 Feb 2003 00:46:27 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c Message-ID: <xzpof5dm7jg.fsf@flood.ping.uio.no> In-Reply-To: <20030215233943.GC72156@nagual.pp.ru> ("Andrey A. Chernov"'s message of "Sun, 16 Feb 2003 02:39:43 %2B0300") References: <200302152326.h1FNQnAr027546@repoman.freebsd.org> <20030215233943.GC72156@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru> writes: > There is no needs to explicately allow localhost in /etc/opieaccess. It is > already works by default, as designed, see OPIE code. It does not work by default; pam_opieaccess previously had special- case code to handle this (by explicitly allowing non-OPIE logins when PAM_RHOST was NULL). This behaviour was very surprising to people who wanted to prevent OPIE users from using their passwords even locally, as they had no way of knowing that login(1) happened to set PAM_RHOST to NULL for local logins. > Your this and > /etc/opieaccess changes breaks POLA. How? They preserve historical behaviour while allowing admins to implement a stricter policy, should they wish to do so. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpof5dm7jg.fsf>