OpenSSH, PAM and kerberos
Dag-Erling Smørgrav
des at des.no
Wed Sep 4 07:53:14 UTC 2013
Lev Serebryakov <lev at FreeBSD.org> writes:
> Accept input from hostile user is huge security issue per se? Ouch. In
> modern world there are only hostile users. Yes, all our software has
> huge security issue, I know that :)
Please look up "privilege separation" on Wikipedia so you have at least
*some* idea of what we're talking about.
> As far as I understand, PAM is not 40-years-old getpwnam() API. It is
> (relative) modern API to replace getpwnam(), with support of modern
> identity databases in mind.
No, PAM does not replace getpwnam(). PAM does not handle identity at
all. NSS handles identity with the old getpwnam() API.
I'm not going to answer the rest - it is so full of misconceptions,
fallacies and incorrect assumptions that I simply don't have the
energy.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list