[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the release team: the plans for etch

This one time, at band camp, Thomas Bushnell BSG said:
> Stephen Gran <sgran@debian.org> writes:
> > Many authentiaction systems do not use pam or shadow authentication.
> > That's the point of the counter argument.  
> So how does removing the line from the password file suddenly change
> things?  

The difference is between locking a password (which involves changing a
line is shadow) and removing an account (which invloves removing a line
in passwd).  You do see get that while, for instance, ssh keys can
bypass pam and shadow _passwords_, it does not bypass the normal sytem
calls for username verification?  Please notice that not only are passwd
and shadow seperate files, they are also seperate lookup databases in the
nss routines - you can look up an entity in passwd and never look up the
corresponding auth token in shadow.

I am of course not talking about other arrangements like pam_ldap or
some other addons that packages can have no expectations of knowing
about.  These are standard system files, and you are advocating changing
only one on removal, because you think that is safer than changing both.
I am pointing out that that is not always the case, depending on what
local arrangements have been made.

Hope that clears it up for you,
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: