"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote:
> > The current system, BTW, leaves the policy in the hands of the user,
> > as she can create or remove ~/.opie_always at will.  A security policy
> > which is based on letting the user decide what is sufficient
> > authentication and what is not is not a proper security policy.
> No, by creating ~/.opiealways user can only _increase_ its own security 
> level additionly to pre-setted by sysadmin for him, and can't _decrease_ 
> it.

The admin can't enforce "always OPIE" for a user, because the user can
always delete his ~/.opiealways.

> > Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
> > from a "sufficient" module.  A "requisite" helper module, placed after
> > pam_opie, which fails if ~/.opie_always exists would do the trick, if
> > one really wanted this.
> ~/.opiealways checked only if opieaccess() found remote host in the 
> /etc/opieaccess table.

Oh.  I misunderstood the role of /etc/opieaccess in this.  This only
strengthens my opinion that this check should be in a separate module.
How about I write a pam_opieaccess(8) module and you tell me what you
think of it?  It's really the cleanest solution from PAM's point of

> Yes, this check can be done as separate PAM module, but why two modules in 
> the same area instead of one?

Because they're different mechanisms that check different things, and
their success or failure have different meanings.

Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to