Date: 21 Jan 2002 01:42:00 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <xzpelkk1qnb.fsf@flood.ping.uio.no> In-Reply-To: <20020121002557.GB27831@nagual.pp.ru> References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no> <20020121000446.GB27206@nagual.pp.ru> <xzpn0z81rrr.fsf@flood.ping.uio.no> <20020121002557.GB27831@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru> writes: > On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote: > > The current system, BTW, leaves the policy in the hands of the user, > > as she can create or remove ~/.opie_always at will. A security policy > > which is based on letting the user decide what is sufficient > > authentication and what is not is not a proper security policy. > No, by creating ~/.opiealways user can only _increase_ its own security > level additionly to pre-setted by sysadmin for him, and can't _decrease_ > it. The admin can't enforce "always OPIE" for a user, because the user can always delete his ~/.opiealways. > > Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR > > from a "sufficient" module. A "requisite" helper module, placed after > > pam_opie, which fails if ~/.opie_always exists would do the trick, if > > one really wanted this. > ~/.opiealways checked only if opieaccess() found remote host in the > /etc/opieaccess table. Oh. I misunderstood the role of /etc/opieaccess in this. This only strengthens my opinion that this check should be in a separate module. How about I write a pam_opieaccess(8) module and you tell me what you think of it? It's really the cleanest solution from PAM's point of view. > Yes, this check can be done as separate PAM module, but why two modules in > the same area instead of one? Because they're different mechanisms that check different things, and their success or failure have different meanings. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpelkk1qnb.fsf>