5.1 beta2 still in trouble with pam_ldap
Ruslan Ermilov
ru at FreeBSD.org
Fri May 23 12:49:18 PDT 2003
On Fri, May 23, 2003 at 09:41:09PM +0200, Dag-Erling Smorgrav wrote:
> Ruslan Ermilov <ru at FreeBSD.org> writes:
> > Why pam_nologin in the "auth" chain of the "login" service is marked
> > "required" and not "requisite", and why do we have the "required" at
> > all? What's the point in continuing with the chain if we are going
> > to return the failure anyway? What's the real application of
> > "required" as compared to "requisite"?
>
> Information leak. The applicant screwed up, but we don't want to let
> him know that until he's jumped through all the *other* hoops as well;
> otherwise he might learn something about our authentication setup from
> the premature error message.
>
Works for the generic case, but not for this particular example.
Just run "shutdown -k now" locally, and watch how funny the login
session looks. I don't think we're leaking something here. ;)
Hm, or maybe this is just the problem with pam_nologin(8) not
respecting the "no_warn" option?
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru at sunbay.com Sunbay Software AG,
ru at FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20030523/c7272dae/attachment.bin
More information about the freebsd-current
mailing list