Date: Sat, 21 Nov 1998 22:06:10 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Robert Watson <robert+freebsd@cyrus.watson.org>, Mikael Karpberg <karpen@ocean.campus.luth.se> Cc: William McVey <wam@sa.fedex.com>, hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811220606.WAA00417@salsa.gv.tsc.tdk.com> In-Reply-To: Robert Watson <robert@cyrus.watson.org> "Re: Would this make FreeBSD more secure?" (Nov 17, 5:02pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 17, 5:02pm, Robert Watson wrote: } Subject: Re: Would this make FreeBSD more secure? } It might be nice to just have a file system socket any process can bind to } that mediates access to the authentication system. On the one side of the } socket is any client attempting to authenticate a user (possibly using PAM } as the API, and then some record based protocol over the socket), and on } the other side is Mr Auth Server that listens on the socket, accepts } connections, and is a place where throttling of attempts could be } performed. Similarly, it could take advantage of the SCM_AUTH (or } whatever) uid/gid passing to authenticate the processes on the other side. I think this is the best solution. Unless the process is setuid root (su), if the auth server sees that billybob is trying to validate a password, then the auth server should only validate billybob's password. This prevents billybob from trying to use the auth server to crack passwords, but it allows billybob to install and use his own private screen or terminal locker. --- Truck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811220606.WAA00417>