On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote:
> That's what PAM is for.  If fixed (not necessary plaintext!) passwords
> are allowed, the admin will mark pam_opie as "sufficient" and place
> pam_unix below it; if they're not, he'll just remove pam_unix.

It not allows flexible configuration because it is not depends on remote 
host for example. I.e. for some host pam_unix can be chained, but for some 
another - not.

> The current system, BTW, leaves the policy in the hands of the user,
> as she can create or remove ~/.opie_always at will.  A security policy
> which is based on letting the user decide what is sufficient
> authentication and what is not is not a proper security policy.

No, by creating ~/.opiealways user can only _increase_ its own security 
level additionly to pre-setted by sysadmin for him, and can't _decrease_ 

> Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
> from a "sufficient" module.  A "requisite" helper module, placed after
> pam_opie, which fails if ~/.opie_always exists would do the trick, if
> one really wanted this.

~/.opiealways checked only if opieaccess() found remote host in the 
/etc/opieaccess table.

Yes, this check can be done as separate PAM module, but why two modules in 
the same area instead of one?

Andrey A. Chernov

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to