Now that we have Kerberos authentication, I don't want to rip out the PAM support, since non-Kerberos enabled sites should be to use EFS.
But, given the ugliness and complexity of the password caching code, and the fact that every last security expert won't like it (and we don't have much grounds to argue with them), why not just trash it? IOW, you'll still be able to authenticate password in efsd via PAM, but the client will require you to submit the password every time, instead of caching it (or attempting to) in ~/.efsconfig. Thoughts?
_______________________________________________ EFS-dev mailing list [email protected] http://mailman.openefs.org/mailman/listinfo/efs-dev
