Oh, I'm not dropping PAM. It's perfectly reasonable as coded. The issue is just the password caching. The code's there, and it works, but I'd prefer NOT to do something that makes security pros scoff at us.
Baldwin, do you have kerberos infrastructure you can leverage in your environment? On Thu, Jun 10, 2010 at 11:36 PM, Baldwin Sung 宋志瑞 <[email protected]>wrote: > IMHO, the next version of EFS should only support Kerberos. If anybody > wants to keep the password caching, stay with the current version of EFS. > Keep the PAM support, who knows what else might be plugged in later on. > > On Jun 10, 2010, at 11:26 PM, Phillip Moore wrote: > > > Now that we have Kerberos authentication, I don't want to rip out the PAM > support, since non-Kerberos enabled sites should be to use EFS. > > > > But, given the ugliness and complexity of the password caching code, and > the fact that every last security expert won't like it (and we don't have > much grounds to argue with them), why not just trash it? > > > > IOW, you'll still be able to authenticate password in efsd via PAM, but > the client will require you to submit the password every time, instead of > caching it (or attempting to) in ~/.efsconfig. > > > > Thoughts? > > > > _______________________________________________ > > EFS-dev mailing list > > [email protected] > > http://mailman.openefs.org/mailman/listinfo/efs-dev > > _______________________________________________ > EFS-dev mailing list > [email protected] > http://mailman.openefs.org/mailman/listinfo/efs-dev >
_______________________________________________ EFS-dev mailing list [email protected] http://mailman.openefs.org/mailman/listinfo/efs-dev
