From owner-freebsd-security Fri Jan 19 14:45:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1D66837B401 for ; Fri, 19 Jan 2001 14:45:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0JMmfj12274; Fri, 19 Jan 2001 14:48:41 -0800 (PST) (envelope-from kris) Date: Fri, 19 Jan 2001 14:48:41 -0800 From: Kris Kennaway To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: login_access() Message-ID: <20010119144841.B12089@citusc17.usc.edu> References: <20010119203218.E79A912686@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119203218.E79A912686@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 03:32:18PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 19, 2001 at 03:32:18PM -0500, David J. MacKenzie wrote: > login.c in -stable is compiled by default with login_access(), > which is in the login source directory. It reads /etc/login.access > to restrict who can login. sshd also uses that source file. >=20 > However, rshd and the MIT krb5 port don't check that file, > so relying on it for authorization is risky. > I suggest that login_access() be removed from the login source directory > and turned into a PAM module account management function so it can be > used uniformly without specially hacking each program that needs it. This sounds like a good way to proceed (well, PAM module first, then removal/deprecation). Are you able to submit code to do the former? Kris P.S. FreeBSD is in desperate need of a maintainer for PAM. Keep this up, and you'll soon find yourself a committer. --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6aMRJWry0BWjoQKURAvpvAJ0Z8HyDqIyKL0BB02fvPUIkd8SIZQCdFY04 Y0maunrqe4roQw/fZ0d77ek= =HXGx -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message