tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BSD Auth

>>>>> On Mon, 18 Aug 2008 14:12:10 -0400,
        "Greg A. Woods; Planix, Inc." <> said:

> Previous discussions resulted in nothing really and PAM was blasted
> into the tree without taking into account any technical
> considerations.

Such summary is unfair.

From some points of view, PAM is more secure than BSD Auth, and that
was one of reasons why PAM was choosed.

With PAM, password attack can be only done via programs who already
own root privilege.  With BSD auth, anyone can do password attack.
For practical example, "pkgsrc/security/pam-pwauth_suid" implements
restriction that a user can try only his own password.  BSD auth opens
wider window against such attack.

Another reason is that some features like Kerberos credential handling
cannot be implemented by BSD auth.

Home | Main Index | Thread Index | Old Index