Re: mod_auth_pam
On Wed, Jan 31, 2001 at 06:15:27PM +0100, Ingo Luetkebohle wrote:
> On Wed, Jan 31, 2001 at 09:41:35AM -0500, Ben Collins wrote:
> > And then, any one silly enough not to have shadow enabled, deserves
> > to not even have a machine capable of being networked to the
> > internet :)
>
> shadow sucks. I use Kerberos or LDAP whenever I can. Both protocols
> lend themselves much better to PAM-integration, btw.
That's the most ignorant statement I have seen in awhile. So you suggest
that a desktop box with one account have Kerberos or LDAP for users?
Your statement has nothing to do with the point at hand. Obviously if
you always use krb or ldap, then why should you even care about the
pam_unix.so module anyway?
> > Um, so you would rather it allow any user to use this application to
> > attempt brute force attacks against /etc/shadow?
>
> Yes.
>
> The main point being that its done *anyway* and then I'd rather have
> it built into PAM than into mod_auth_external (no offence meant
> against that module, but the code just doesn't get the same exposure).
>
> The secondary point is that its completely the same as having the
> capability to check all passwords in the ftp-server or the
> login-program, to give just two commonly used examples.
>
> However, I had this discussion with Andrew Morgan two years ago and he
> shares your opinion so we're probably not going to see a change in
> PAM.
No, it's not the same. The program runs quickly and does nothing but
auth the user and return an exit value. It is not tied down by PAM or
any other policies (such as delay on failure, etc.). It never going to
be able to auth any user other than the egid of the calling process.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: