Date: Fri, 25 May 2001 14:42:40 +0200 From: Mark Murray <mark@grondar.za> To: arch@freebsd.org Subject: PAM, S/Key and authentication schemes. Message-ID: <200105251240.f4PCeO612402@gratis.grondar.za>
next in thread | raw e-mail | index | archive | help
Hi We currently have a slew of authentication schemes in FreeBSD. There is the usual lot in getpwent(3) and friends, OPIE, S/Key and PAM, and then a bunch of home-rolled ones such as the WHEELSU rules in su(1), and the anonymous user rules in ftpd(8). There is also kerberos in 2 forms, SSH, and the r-utils .rhosts files. I'd like to simplify this lot in a way that makes it easy for the administrator to decide her own policy. PAM is ideal for this. I have already tested this on my home cluster with su(1) (I just made su a PAM-only thing), and this makes the code a whole lot simpler. Simpler code == safer code. I'd like to properly PAM-ize the things that need it, and simplify where possible and where appropriate. In most cases, this means gutting out the convoluted logic if favour of pam _only_. (Obviously SSH will need its own scheme as well). This means that PAM modules like pam_rhosts, pam_anonymous, pam_shells pam_tcpd and so on can be used to set custom policies on a per-site basis (Yeah, yeah, these need to be written!). S/Key is OBE in my opinion and needs to be entirely replaced by OPIE. (And in the majority of cases pam_opie will do the job). Comments? M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105251240.f4PCeO612402>