Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Sep 2013 18:21:52 +0400
From:      Lev Serebryakov <lev@FreeBSD.org>
To:        =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
Cc:        freebsd-security@FreeBSD.org, Slawa Olhovchenkov <slw@zxy.spb.ru>
Subject:   Re: OpenSSH, PAM and kerberos
Message-ID:  <1601348478.20130903182152@serebryakov.spb.ru>
In-Reply-To: <86vc2it2ip.fsf@nine.des.no>
References:  <86sixrwdcv.fsf@nine.des.no> <20130830131455.GW3796@zxy.spb.ru> <8661uj9lc6.fsf@nine.des.no> <20130902181754.GD3796@zxy.spb.ru> <867geywdfc.fsf@nine.des.no> <20130903083301.GF3796@zxy.spb.ru> <86y57euu8y.fsf@nine.des.no> <20130903093756.GG3796@zxy.spb.ru> <86ppsqutw7.fsf@nine.des.no> <998724759.20130903142637@serebryakov.spb.ru> <20130903103922.GI3796@zxy.spb.ru> <6110257289.20130903145034@serebryakov.spb.ru> <86d2oquopo.fsf@nine.des.no> <226539732.20130903154908@serebryakov.spb.ru> <8661uiujin.fsf@nine.des.no> <1734535072.20130903174359@serebryakov.spb.ru> <86vc2it2ip.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello, Dag-Erling.
You wrote 3 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2013 =D0=B3., =
18:15:26:

>> login(1) works. It means, that console and telnet works. ftpd(8) doesn't
>> need such excessive session support (single login via ftp? Are you
>> kidding?). So, only sshd(8) is broken. And change (dramatically) well-kn=
own
>> programs (like login(1)) and introduce new subsystem to fix bug (it is
>> really a bug) in sshd? I don't think it is sane way to do things.
DES> We're not just talking about a bug in sshd.  We're talking about a
DES> fundamentally broken paradigm which affects *all* applications.
 How does it affect second-most-used-login application -- login(1)?

 I know nothing about xdm, gdm, kdm and all other X11 display managers, as I
don't use anything UNIX-like on desktops, are they affected too? Or do they
work as intended now?

 Which applications do need this functionality too? ftpd(8)? Is it affected?
But I'm not sure, that ftpd(8) needs something like this at all, as I could
not imagine any kerberized / single login application run with ftpd as
parent. Maybe, my imagination is poor.

 And, yes, what do you mean by "fundamentally broken paradigm" here? PAM
itself?

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1601348478.20130903182152>