|
| From: | Derek Robert Price |
| Subject: | Re: PAM authentication patch - v2 |
| Date: | Thu, 17 Apr 2003 12:12:30 -0400 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 |
Larry Jones wrote:
Derek Robert Price writes:Speaking of committing, if I read the discussion correctly and noone changed their mind without saying so, we're still at +1 developer votes:I'm fence sitting. As I see more and more problems with incompatibilities between various PAM implementations, I'm becomming more and more sympathetic to Greg's attitude that we shouldn't be in the authorization business at all. If you want PAM, use ssh (or rsh if you must), not pserver.
The truth is, I mostly agree with Greg too. I just feel that as long as we aren't going to remove system password support, we might as well offer some flexability and let each administrator make the final decisions about where the password comes from. I'm looking at PAM as a way of avoiding and offloading onto others most future work in this area. An administrator could be tunnelling the pserver connections over SSL or via SSH or VPN or IPSec or whatever to feel safe enough. As long as we continue to be clear about the security risks, I don't see the harm in allowing others to make their own choices in this area.
As far as incompatibilities are concerned, I think we will see those disappear as PAM use becomes more widespread. Solaris and Linux are both fairly large user bases as far as the UNIX world is concerned.
Regardless, the change would be on the experimental branch. The changes can be removed if it sparks more complaints or bug reports than we can handle.
Derek
--
*8^)
Email: derek@ximbiot.com
Get CVS support at <http://ximbiot.com>!
--
I will not grease the monkey bars.
I will not grease the monkey bars.
I will not grease the monkey bars...
- Bart Simpson on chalkboard, _The Simpsons_
| [Prev in Thread] | Current Thread | [Next in Thread] |