Re: login_access()

From: Kris Kennaway (kris@FreeBSD.ORG)
Date: 01/19/01


Date: Fri, 19 Jan 2001 14:48:41 -0800
From: Kris Kennaway <kris@FreeBSD.ORG>
To: "David J. MacKenzie" <djm@web.us.uu.net>


On Fri, Jan 19, 2001 at 03:32:18PM -0500, David J. MacKenzie wrote:
> login.c in -stable is compiled by default with login_access(),
> which is in the login source directory. It reads /etc/login.access
> to restrict who can login. sshd also uses that source file.
>
> However, rshd and the MIT krb5 port don't check that file,
> so relying on it for authorization is risky.
> I suggest that login_access() be removed from the login source directory
> and turned into a PAM module account management function so it can be
> used uniformly without specially hacking each program that needs it.

This sounds like a good way to proceed (well, PAM module first, then
removal/deprecation). Are you able to submit code to do the former?

Kris

P.S. FreeBSD is in desperate need of a maintainer for PAM. Keep this
up, and you'll soon find yourself a committer.

-- 
NOTE: To fetch an updated copy of my GPG key which has not expired,
finger kris@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message