On Wed, Jan 31, 2001 at 09:41:35AM -0500, Ben Collins wrote:
> And then, any one silly enough not to have shadow enabled, deserves
> to not even have a machine capable of being networked to the
> internet :)
shadow sucks. I use Kerberos or LDAP whenever I can. Both protocols
lend themselves much better to PAM-integration, btw.
> Um, so you would rather it allow any user to use this application to
> attempt brute force attacks against /etc/shadow?
The main point being that its done *anyway* and then I'd rather have
it built into PAM than into mod_auth_external (no offence meant
against that module, but the code just doesn't get the same exposure).
The secondary point is that its completely the same as having the
capability to check all passwords in the ftp-server or the
login-program, to give just two commonly used examples.
However, I had this discussion with Andrew Morgan two years ago and he
shares your opinion so we're probably not going to see a change in
Ingo Luetkebohle / firstname.lastname@example.org / 95428014
| Student of Computational Linguistics & Computer Science;
| Fargonauten.DE sysadmin; Gimp Registry maintainer;
| FP: 3187 4DEC 47E6 1B1E 6F4F 57D4 CD90 C164 34AD CE5B