On Tue, Mar 08, 2005 at 07:37:35AM -0500, Christos Zoulas wrote:
> On Mar 8,  7:28am, netbsd@lists.veego.de (Bernd Ernesti) wrote:
> -- Subject: Re: PAM enabled on head
> 
> | > We have changed PAM to fail closed. I.e. a missing PAM configuration will
> | > default to fail authentication as opposed to allow it. We are still
> | > thinking of adding even more strict checks in the authentication path, so
> | > that incorrect configurations will not default to allow someone access.
> | 
> | So this means that you can no longer login if you don't have an /etc/pam.d
> | or an empty one?
> 
> Yes.

	I'm not entirely up to speed on PAM, are you really saying that with PAM
ALL login methods will fail?  If so, that really sucks.  Wouldn't it make more
sense to have the non-existant case indicate a default that is exactly the
same as pre-PAM?  Having the system lock me out, even though I didn't change
any configuration, seems like it clearly violates the principle of least
surprise.

eric