On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote: > > That's what PAM is for. If fixed (not necessary plaintext!) passwords > are allowed, the admin will mark pam_opie as "sufficient" and place > pam_unix below it; if they're not, he'll just remove pam_unix.
It not allows flexible configuration because it is not depends on remote host for example. I.e. for some host pam_unix can be chained, but for some another - not. > The current system, BTW, leaves the policy in the hands of the user, > as she can create or remove ~/.opie_always at will. A security policy > which is based on letting the user decide what is sufficient > authentication and what is not is not a proper security policy. No, by creating ~/.opiealways user can only _increase_ its own security level additionly to pre-setted by sysadmin for him, and can't _decrease_ it. > Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR > from a "sufficient" module. A "requisite" helper module, placed after > pam_opie, which fails if ~/.opie_always exists would do the trick, if > one really wanted this. ~/.opiealways checked only if opieaccess() found remote host in the /etc/opieaccess table. Yes, this check can be done as separate PAM module, but why two modules in the same area instead of one? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message