From owner-freebsd-security@FreeBSD.ORG  Tue Sep  3 13:44:05 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 18A2B87F
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 13:44:05 +0000 (UTC)
 (envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
 [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id C95F12D6B
 for <freebsd-security@FreeBSD.org>; Tue,  3 Sep 2013 13:44:04 +0000 (UTC)
Received: from lion.home.serebryakov.spb.ru (unknown
 [IPv6:2001:470:923f:1:61fd:95c3:8111:539a])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 9FCA14AC2D;
 Tue,  3 Sep 2013 17:44:02 +0400 (MSK)
Date: Tue, 3 Sep 2013 17:43:59 +0400
From: Lev Serebryakov <lev@FreeBSD.org>
X-Priority: 3 (Normal)
Message-ID: <1734535072.20130903174359@serebryakov.spb.ru>
To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
Subject: Re: OpenSSH, PAM and kerberos
In-Reply-To: <8661uiujin.fsf@nine.des.no>
References: <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru>
 <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru>
 <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru>
 <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru>
 <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru>
 <20130903103922.GI3796@zxy.spb.ru>
 <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no>
 <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 13:44:05 -0000

Hello, Dag-Erling.
You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., =
17:22:56:

DES> sshd is just one of many applications in the system.
  Ooops. I think, have ONE daemon to provide ALL authentication is bad idea.
  It crashes. After that you could not login via console, sshd, telnet,
 whatever! Only one way -- reboot server via power button... Not good.

>> One more daemon -- one more point of failure...
DES> Or you can look at it the other way around: less copy-pasting between
DES> applications and far fewer chances to screw it up.
 login(1) works. It means, that console and telnet works. ftpd(8) doesn't
need such excessive session support (single login via ftp? Are you
kidding?). So, only sshd(8) is broken. And change (dramatically) well-known
programs (like login(1)) and introduce new subsystem to fix bug (it is
really a bug) in sshd? I don't think it is sane way to do things.

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>