From owner-freebsd-security  Sat Jan 20 21:10:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32])
	by hub.freebsd.org (Postfix) with ESMTP
	id B233337B401; Sat, 20 Jan 2001 21:10:26 -0800 (PST)
Received: by jenkins.web.us.uu.net (Postfix, from userid 515)
	id CB06E12686; Sun, 21 Jan 2001 00:10:25 -0500 (EST)
To: djm@web.us.uu.net, rwatson@FreeBSD.ORG
Subject: Re: improved: PAM support for login, rshd, and su
Cc: freebsd-security@FreeBSD.ORG
Message-Id: <20010121051025.CB06E12686@jenkins.web.us.uu.net>
Date: Sun, 21 Jan 2001 00:10:25 -0500 (EST)
From: djm@web.us.uu.net (David J. MacKenzie)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> So, at one point recently I sent e-mail to freebsd-arch proposing that we
> eliminate the #ifdef for LOGIN_CAP.  I asked if anyone was actually not
> using the login.conf stuff in their configuration but haven't found any
> examples yet.  Having two code paths for all sensitive authorization and
> authentication code really makes a mess of things, and also means that
> login.conf can't be used as a comprehensive source of policy.

I agree.  login already uses login_cap unconditionally, so I don't see
any point in having su and rshd maintain two code paths.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message