5.1 beta2 still in trouble with pam_ldap
Dag-Erling Smorgrav
des at ofug.org
Fri May 23 12:41:14 PDT 2003
Ruslan Ermilov <ru at FreeBSD.org> writes:
> Why pam_nologin in the "auth" chain of the "login" service is marked
> "required" and not "requisite", and why do we have the "required" at
> all? What's the point in continuing with the chain if we are going
> to return the failure anyway? What's the real application of
> "required" as compared to "requisite"?
Information leak. The applicant screwed up, but we don't want to let
him know that until he's jumped through all the *other* hoops as well;
otherwise he might learn something about our authentication setup from
the premature error message.
DES
--
Dag-Erling Smorgrav - des at ofug.org
More information about the freebsd-current
mailing list