Christian Hammers wrote: > On 2006-10-26 Wakko Warner wrote: > > /etc/pam.d/quagga: > > auth required pam_permit.so > > > > This causes quagga not to ask for a password as it uses pam authentication > > methods. I do not see a security risk because: > > 1) Only quagga user or quaggavty group has access to the sockets > > 2) Any admin who compiles their own vtysh w/o asking for a password will do > > the exact same thing. > > > > There is really no reason that I can see to authenticate the calling user. > > This is currently true but I expect the other daemons to start using PAM in > the future, too and having a pam_permit laying around probably isn't the best > idea then.
Maybe not, but that was the workaround I found. I didn't look at rootok though. I tested vtysh as a normal user which was unable to connect to the daemons running. > I'm preparing an upload with "pam_rootok.so" in the > default /etc/pam.d/quagga. This is enough for the init script to work. This is still a workaround IMO. > Sadly vtysh does not give a sane error message. > > What do you think? Personally, I think the authentication should be completely removed from vtysh. It has already been proven to be a useless authentication method. As stated, anyone could compile their own vtysh to bypass this (or just place the permit in the pam config). Unless someone chowns the sockets that the daemons use, only quagga user and root user can connect. Do what you feel is best. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
