From owner-freebsd-security  Tue Dec 15 10:15:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA00745
          for freebsd-security-outgoing; Tue, 15 Dec 1998 10:15:55 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from obie.softweyr.com ([204.68.178.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA00724
          for <freebsd-security@FreeBSD.ORG>; Tue, 15 Dec 1998 10:15:48 -0800 (PST)
          (envelope-from wes@softweyr.com)
Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35])
	by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id LAA17415;
	Tue, 15 Dec 1998 11:09:48 -0700 (MST)
	(envelope-from wes@softweyr.com)
Message-ID: <3676A5EA.B23FCA10@softweyr.com>
Date: Tue, 15 Dec 1998 11:09:46 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr llc
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Robert Watson <robert+freebsd@cyrus.watson.org>
CC: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>,
        Frank Tobin <ftobin@bigfoot.com>,
        FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG>
Subject: Re: Limiting which users can login via xdm
References: <Pine.BSF.3.96.981215105331.19184B-100000@fledge.watson.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson wrote:
> 
> Once PAM is in place, it provides a good checking point for the validity
> of certain types of behavior--such as logging in within the time bounds.
> PAM's account stage allows for multiple modules to check authorization.
> Presumably a login.conf module could be assembled that verified the user
> fell within the various bounds listed for their class in /etc/login.conf.
> 
> Presumably, xdm would have to support PAM, and describe the terminal being
> logged into in some xdm-specific way (possibly xdm0...) for each user
> attached to the xdm, as well as providing the remotehost information to
> PAM.  Presumably to do this properly, all address information should be
> passed around in the form of IP addresses, not host names--I'm not sure
> how the existing PAM stuff handles this.

XDM handles this using standard X notation for the server, i.e. :0 for 
a server at the local workstation, and hostname:0 for xterminal users.
If PAM is going to be enhanced to handle XDM, it should correctly 
handle authentication using the X notation.


-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message