From owner-freebsd-security  Fri Nov 13 13:00:00 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA28729
          for freebsd-security-outgoing; Fri, 13 Nov 1998 13:00:00 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28692
          for <freebsd-security@freebsd.org>; Fri, 13 Nov 1998 12:59:56 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA16832;
	Fri, 13 Nov 1998 15:58:07 -0500 (EST)
Date: Fri, 13 Nov 1998 15:58:07 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Mark Murray <mark@grondar.za>
cc: ark@eltex.ru, cschuber@uumail.gov.bc.ca, oortiz@LCSI.COM,
        freebsd-security@FreeBSD.ORG
Subject: Re: Intruder Lockout 
In-Reply-To: <199811132050.WAA29529@greenpeace.grondar.za>
Message-ID: <Pine.BSF.3.96.981113155557.16788A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 13 Nov 1998, Mark Murray wrote:

> > Kerberos is a big problem itself: you have to kerberize _everything_
> > that is even harder than SSLeay'ing it..
> 
> Ahah!
> 
> PAM is in the wings. PAM is not much of a problem. In the beginning,
> maybe a PITA, but once its done, your security strategy is kinda
> easy ;-).

Mark,

My understanding has always been that PAM is only good for talking to
humans, and cannot be used to make things like kerberized ftp or
kerberized imap any easier to write.  That is, that it essentially
performs a set of challenges/responses intended for humans and is not
easily adaptable for server-server communication or unattended
communication in secure protocols.  Is this interpretation correct?  (Not
having it under BSD, I haven't had much opportunity to use it).  

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message