From owner-cvs-all Wed Mar 6 16:12:12 2002 Delivered-To: cvs-all@freebsd.org Received: from green.bikeshed.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 229AC37B402; Wed, 6 Mar 2002 16:12:06 -0800 (PST) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.6/8.11.6) with ESMTP id g270C5m43660; Wed, 6 Mar 2002 19:12:05 -0500 (EST) (envelope-from green@green.bikeshed.org) Message-Id: <200203070012.g270C5m43660@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Dag-Erling Smorgrav Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules modules.inc src/lib/libpam/modules/pam_alreadyloggedin Makefile pam_alreadyloggedin.8 pam_alreadyloggedin.c In-Reply-To: Your message of "07 Mar 2002 00:44:51 +0100." From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 06 Mar 2002 19:12:05 -0500 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dag-Erling Smorgrav wrote: > "Brian F. Feldman" writes: > > Robert took a look at it, and other people agreed it was a generally > > interesting module to have. Add to that that it's small, not turned on > > unless you do it yourself, and doesn't break the build, and I don't see what > > the problem is adding a new PAM module. > > You know that I am working on PAM, yet it did not occur to you to even > ask me if I had thought of something like this, or if I had any plans > to implement something like this. Even assuming that I think > pam_alreadyloggedin is a good idea (which I don't), it did not even > occur to you that I might possibly object to the name of the module > (which I do), or the way it was implemented (which I do), or the code > style (which I do). It did not even occur to you that less than 24 > hours after I completely replaced libpam with new and relatively > untested code might not be the ideal time to commit a new module. No, it absolutely didn't. Whether it's a good idea or not is up to anyone that decides if they want to use it. If you object to the name, want to suggest another? What in the world do you mean by "the way it was implemented", and how is the code style any different from KNF? I had also tested the module initially on old-PAM and then on OpenPAM and it worked just fine in both cases for the scenarios I could come up with. Now other people can test it if they want to. It in no way affects anyone's life with PAM unless they decide to go out of their way and try it out. Personally, I use it on my laptop with "no_root restrict_tty=ttyv*", in my /etc/pam.d/login, since I rather like not having to type in my SSH key's passphrase all day now. > I don't really mind having the module in the tree, even though I think > it's a spectacularly bad idea from a security standpoint, but I do > mind its name and about half of its implementation (measured in loc), > so you might as well back it out. Do you mind actually suggesting what's supposed to be so bad about "half of its implementation"? Also, please explain how it's any worse from a security standpoint to have this ability than it is to, say, default to the console being a "secure" tty so not requiring a root password, or anything else in the system. It's not going to decrease the security of a system, because anyone who is going to use it knows what it does already and knows in what ways it would "compromise" a system. *grumbles something about everyone wanting to take things as an affront in all situations nowadays* -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org <> bfeldman@tislabs.com \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message