"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote: > One (among others) argument _for_ "no fake prompts" is that standalone > application once compiled with OPIE support can't dynamically turn off > fake prompts using some configuration. For PAM case it means that pam_opie > can't be always turned on without confusion just because its fake prompts > and _nothing_else_. > > The arguments _against_ "no fake prompts" was explained by markm in our > previous discussion.
Yes, information leakage. We have two options: - enable OPIE by default, with the no_fake_prompts option, leaving it up to the admin to enable fake prompts if he so wishes - disable OPIE by default, but do fake prompts by default if it is enabled I think the first alternative increases security in a default installation, because it allows any user to choose to use OPIE without admin intervention. If we go for the second alternative, users can use OPIE only if the admin decides to enable it. > > > I have idea to solve it adding "no_fake_prompts" option to pam_opie to > > > control that per admin choice. > > Yep, excellent idea. I'll get right on it. > Ok, I'll make patch for review. Please, I'm getting paid to do this :) Make yourself a cup of tea or something and put your feet up on the desk for a couple of minutes. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
