OpenSSH, PAM and kerberos
Lev Serebryakov
lev at FreeBSD.org
Tue Sep 3 11:49:14 UTC 2013
Hello, Dag-Erling.
You wrote 3 сентября 2013 г., 15:30:43:
>> des@ suggests to have ability to pass env variables from authorization
>> daemon, but anyway, pam_setcred() should be called by shell process
>> (or its parent), and not any process in system, am I right?
DES> Everything pam_setcred() does can be done in a separate process, and the
DES> result returned to the application using sendmsg().
Why do we need separate daemon for it? Why it could not be built-in to sshd
itself? One more daemon -- one more point of failure...
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-security
mailing list