Date: Tue, 15 Dec 1998 11:09:46 -0700 From: Wes Peters <wes@softweyr.com> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>, Frank Tobin <ftobin@bigfoot.com>, FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: Limiting which users can login via xdm Message-ID: <3676A5EA.B23FCA10@softweyr.com> References: <Pine.BSF.3.96.981215105331.19184B-100000@fledge.watson.org>
index | next in thread | previous in thread | raw e-mail
Robert Watson wrote:
>
> Once PAM is in place, it provides a good checking point for the validity
> of certain types of behavior--such as logging in within the time bounds.
> PAM's account stage allows for multiple modules to check authorization.
> Presumably a login.conf module could be assembled that verified the user
> fell within the various bounds listed for their class in /etc/login.conf.
>
> Presumably, xdm would have to support PAM, and describe the terminal being
> logged into in some xdm-specific way (possibly xdm0...) for each user
> attached to the xdm, as well as providing the remotehost information to
> PAM. Presumably to do this properly, all address information should be
> passed around in the form of IP addresses, not host names--I'm not sure
> how the existing PAM stuff handles this.
XDM handles this using standard X notation for the server, i.e. :0 for
a server at the local workstation, and hostname:0 for xterminal users.
If PAM is going to be enhanced to handle XDM, it should correctly
handle authentication using the X notation.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3676A5EA.B23FCA10>