On Mon, Jun 09, 2008 at 10:38:53AM +0100, Darren J Moffat wrote:
> Joep Vesseur wrote:
>>> a) Did PSARC/2007/700 integrate somewhere?
>> 
>> No, not yet; I've been stuck in the changes needed for the graphical
>> installer. Need to pick up the pieces again.
>> 
>>> b) If so, why didn't the manpage change integrate?
>>> c) Is having passwordless roles any less stupid than passwordless users?
>> 
>> I'd say it is because with passwordless roles you have at least the
>> attribution to which user assumed a role. With passwordless users
>> you'd have no way knowing who logged into your system.
> 
> The reason Solaris expects roles, just like users, to has passwords is 
> because of the need for a password to use AUTH_DH creds for NIS+ and NFS 
> shared with sec=dh.
> 
> If you don't need to use AUTH_DH then you may not need roles to have 
> passwords.  On the other hand you may wish roles to be Kerberos principals 
> in which case you would likely need a password for them (or some way of 
> maintaining and using a keytab for them).
> 
> If you need none of the security provided by AUTH_DH or Kerberos then you 
> may not need to use passwords with roles.

It's good to hear that this is reasonable usage; I mentioned it to some
(non Solaris using) colleagues and they were rather disconcerted but I
assumed they just didn't really understand what roles were :)

In my current situation I don't need any of the stuff above, but SXCE
doesn't allow passwordless roles.  I'm not sure why if the quoted ARC
case didn't integrate; it just seems that the OpenSolaris code base
never has supported this (although, as noted, it does work in Solaris 10).

Ceri
-- 
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: 
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080609/f9ce47a1/attachment.bin>

Reply via email to