This one time, at band camp, Thomas Bushnell BSG said: > Stephen Gran <sgran@debian.org> writes: > > > Many authentiaction systems do not use pam or shadow authentication. > > That's the point of the counter argument. > > So how does removing the line from the password file suddenly change > things? The difference is between locking a password (which involves changing a line is shadow) and removing an account (which invloves removing a line in passwd). You do see get that while, for instance, ssh keys can bypass pam and shadow _passwords_, it does not bypass the normal sytem calls for username verification? Please notice that not only are passwd and shadow seperate files, they are also seperate lookup databases in the nss routines - you can look up an entity in passwd and never look up the corresponding auth token in shadow. I am of course not talking about other arrangements like pam_ldap or some other addons that packages can have no expectations of knowing about. These are standard system files, and you are advocating changing only one on removal, because you think that is safer than changing both. I am pointing out that that is not always the case, depending on what local arrangements have been made. Hope that clears it up for you, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature