https://bugzilla.mindrot.org/show_bug.cgi?id=1215
Brad Huntting <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #21 from Brad Huntting <[email protected]> --- In most environments users control their own workstations and servers, and root on these machines is not to be trusted any more than the users who own them. And most AAA databases (RADIUS, LDAP, etc) are administered by someone other than the user/owner of the workstation using them. In some cases, the AAA database may be administered by a service provider, with users as customers. In such an environment it's not unreasonable to expect that customer data (name, phone number, homedir, etc) should not be shared with other customers. In other cases, the location of the users homedir may not even be knowable before the user is authentication. In these, and many other situations, it is simply presumptuous to suppose that nss passwd information for every user would be available to every other user everywhere. I do agree that PAM changing the username during authentication is a bad idea, I think it would be better to pass user info to an nss_radius.so module via some runtime (/var/run/radius_users.db) database. However, asking a user to authenticate before giving out their personal information is not unreasonable requirement. This needs to be a configurable option. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. You are watching the reporter of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
