In article <oqacgp6zjr.fsf@castrovalva.Ivy.NET>,
Miles Nordin  <carton@Ivy.NET> wrote:
>-=-=-=-=-=-
>
>I'm trying to get telnet working the way I want it again.  When I
>'telnet -K localhost' this process shows up:
>
>root    13847  0.0  0.6   248  2952 ?     S     6:20PM  0:00.04 telnetd
>-a off -s -g net.default
>
>You can see I'm passing the '-s' flag to telnetd, which according to
>telnetd(8) will make telnet in turn pass the '-s' flag to login.  But
>as soon as I type my username, this process shows up:
>
>root     9955  0.0  0.5   136  2720 ttyq4 S<s+  6:20PM  0:00.03 login 
>
>and login gladly accepts non-S/Key passwords.  I think this used to
>work, but honestly I never used telnet much.  Anyone remember
>otherwise or know what changed?  If it's a real change it may even
>warrant a security advisory. :(

It might warrant a security advisory, since as you mentioned the
flags are accepted and not acted upon. I have changed login_pam
reject -s and -F since these flags are not supported anymore. In
the PAM world, every authenticator goes through the pam process
which is controlled only from /etc/pam.d/<program>. So if you want
login to accept only skey, you need to make the change there.

Unfortunately there is no way under PAM to make the system behave
exactly the same way it behaved before.

christos