From owner-freebsd-stable Fri Jul 17 15:49:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08294 for freebsd-stable-outgoing; Fri, 17 Jul 1998 15:49:47 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from freebie.dcfinc.com (freebie.dcfinc.com [138.113.5.128]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08287 for ; Fri, 17 Jul 1998 15:49:46 -0700 (PDT) (envelope-from chad@freebie.dcfinc.com) Received: (from chad@localhost) by freebie.dcfinc.com (8.8.7/8.8.3a) id PAA03916; Fri, 17 Jul 1998 15:49:25 -0700 (MST) From: "Chad R. Larson" Message-Id: <199807172249.PAA03916@freebie.dcfinc.com> Subject: Re: Finger and getpwent To: wes@softweyr.com (Wes Peters) Date: Fri, 17 Jul 1998 15:49:25 -0700 (MST) Cc: chad@dcfinc.com, freebsd-stable@FreeBSD.ORG In-Reply-To: <199807170000.SAA18215@obie.softweyr.com> from Wes Peters at "Jul 16, 98 06:00:58 pm" Reply-to: chad@dcfinc.com X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Chad Larson recommended: > > The model that make sense to me is the SysVr4 Service Access Controller > > (SAC). From a security standpoint, there were way too many different > > ways to get a "login" prompt from the system. The telnet daemon, the > > rlogin daemon, FTP, the regular login, the UUCP service, etc. So now > > there is only one process that issues "login", and every thing else goes > > through it. That gives a single point to install authentication and > > access control. > > > > The other band-aids grew up, in my opinion, as people who didn't have > > source to their systems tried to fix things up. We FreeBSDers have the > > facilities to implement a global solution similar to the SysVr4 one. > > Hopefully without the horrible over-complexity of SAF and SAC, though. > When you have 'keys' that are so complex you have to write another > command just to generate the keys for you, something has gone horribly > wrong with your design. I agree with that, which is why I used the term "model". I wouldn't suggest a re-implementation of SAF, but fixing all the various current access means to route through a common point makes sense to me. > Wes Peters Softweyr LLC > http://www.softweyr.com/~softweyr wes@softweyr.com -crl -- Chad R. Larson (CRL22) Brother, can you paradigm? 602-953-1392 chad@dcfinc.com chad@anasazi.com larson1@home.com DCF, Inc. - 14623 North 49th Place, Scottsdale, Arizona 85254 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message