Re: login_access()

From: Kris Kennaway (kris@FreeBSD.ORG)
Date: 01/19/01

Date: Fri, 19 Jan 2001 14:48:41 -0800
From: Kris Kennaway <kris@FreeBSD.ORG>
To: "David J. MacKenzie" <>

On Fri, Jan 19, 2001 at 03:32:18PM -0500, David J. MacKenzie wrote:
> login.c in -stable is compiled by default with login_access(),
> which is in the login source directory. It reads /etc/login.access
> to restrict who can login. sshd also uses that source file.
> However, rshd and the MIT krb5 port don't check that file,
> so relying on it for authorization is risky.
> I suggest that login_access() be removed from the login source directory
> and turned into a PAM module account management function so it can be
> used uniformly without specially hacking each program that needs it.

This sounds like a good way to proceed (well, PAM module first, then
removal/deprecation). Are you able to submit code to do the former?


P.S. FreeBSD is in desperate need of a maintainer for PAM. Keep this
up, and you'll soon find yourself a committer.

NOTE: To fetch an updated copy of my GPG key which has not expired,

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message