From owner-freebsd-security  Fri Nov 13 13:08:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA00234
          for freebsd-security-outgoing; Fri, 13 Nov 1998 13:08:17 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29927
          for <freebsd-security@freebsd.org>; Fri, 13 Nov 1998 13:07:43 -0800 (PST)
          (envelope-from mark@grondar.za)
Received: from greenpeace.grondar.za (IDENT:jM9HGutvSM4jH3r+Qs95DNj0pEBGBMFU@greenpeace.grondar.za [196.7.18.132])
	by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id XAA04299;
	Fri, 13 Nov 1998 23:07:08 +0200 (SAST)
	(envelope-from mark@grondar.za)
Received: from grondar.za (IDENT:3I1b5GkeNP1KYklE+JE5EfRsq4FMBmKr@localhost [127.0.0.1])
	by greenpeace.grondar.za (8.9.1/8.9.1) with ESMTP id XAA12704;
	Fri, 13 Nov 1998 23:07:07 +0200 (SAST)
	(envelope-from mark@grondar.za)
Message-Id: <199811132107.XAA12704@greenpeace.grondar.za>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: ark@eltex.ru, cschuber@uumail.gov.bc.ca, oortiz@LCSI.COM,
        freebsd-security@FreeBSD.ORG
Subject: Re: Intruder Lockout 
In-Reply-To: Your message of " Fri, 13 Nov 1998 15:58:07 EST." <Pine.BSF.3.96.981113155557.16788A-100000@fledge.watson.org> 
References: <Pine.BSF.3.96.981113155557.16788A-100000@fledge.watson.org> 
Date: Fri, 13 Nov 1998 23:07:05 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson wrote:
> My understanding has always been that PAM is only good for talking to
> humans, and cannot be used to make things like kerberized ftp or
> kerberized imap any easier to write.  That is, that it essentially
> performs a set of challenges/responses intended for humans and is not
> easily adaptable for server-server communication or unattended
> communication in secure protocols.  Is this interpretation correct?  (Not
> having it under BSD, I haven't had much opportunity to use it).  

That depends on the implementor.

If the implementor is a twit, then sure, that is the case. If the
implementor does it properly, and for PAM, this needs to be done
properly _once_, then there should be no hassle.

PAM is generalised, so the implementor needs to think about
security in the general case; that makes life easier. If the
implementor is an idiot, (s)he can screw it up royally, but
a programmer worth his/her salt should manage without too
much of a problem.

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message