Date: Tue, 15 Dec 1998 10:57:08 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: Frank Tobin <ftobin@bigfoot.com>, FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: Limiting which users can login via xdm Message-ID: <Pine.BSF.3.96.981215105331.19184B-100000@fledge.watson.org> In-Reply-To: <199812131526.HAA07450@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Once PAM is in place, it provides a good checking point for the validity of certain types of behavior--such as logging in within the time bounds. PAM's account stage allows for multiple modules to check authorization. Presumably a login.conf module could be assembled that verified the user fell within the various bounds listed for their class in /etc/login.conf. Presumably, xdm would have to support PAM, and describe the terminal being logged into in some xdm-specific way (possibly xdm0...) for each user attached to the xdm, as well as providing the remotehost information to PAM. Presumably to do this properly, all address information should be passed around in the form of IP addresses, not host names--I'm not sure how the existing PAM stuff handles this. On Sun, 13 Dec 1998, Cy Schubert - ITSD Open Systems Group wrote: > In message <Pine.BSF.4.05.9812112340570.3250-100000@isr3277.urh.uiuc.edu > >, Fran > k Tobin writes: > > I was wondering if there was a way to limit access to xdm according to > > users. A major reason I'd like to be able to do this is that it could > > ensure that I could keep track of logins to xdm that are done remotely. > > Can one get xdm to use login(1), and consequently, check access via > > /etc/login.access? > > Xdm's Xsession script could be modified to limit who has access to xdm. > Xdm sets the USER and LOGNAME environment variables, which could be > used to verify the user's identity. Alternatively you could get the > user's identity from id or whoami. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: cschuber@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Government of BC > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981215105331.19184B-100000>