tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BSD Auth

> I use the following settings in my mk.conf (plus there should be some  
> changes to some makefiles and to the sets lists, but I haven't got  
> around to them yet):
>       MKPAM =         no
>       USE_PAM =       no

Well, blow me down! I'm still using my old mk.conf. I haven't even noticed
there's MKPAM and USE_PAM. Lots of thanks for the tip, Greg!

> > I've lived happily without it so far. I don't mind having it in base, I'm
> > just curious whether it's possible to replace its functionality by BSD
> > Auth. I managed to find some code written in 2003 and now I'm examining
> > it to see what can be done with it and if it can be somehow integrated
> > alongside with PAM.
> I'm not sure it would make sense to have them integrated together into  
> the same system.  In my estimation they can't really both be there in  
> the same build (certainly not for anyone who wants the full and  
> guaranteed privilege separation offered by BSD Auth), and with a  
> compile-time option the non-default one is sure to bitrot.

I think I can give that code a try :) I suppose I'll have to start with an
older release, probably 1.6 or 2.0, and then gradually upgrade to 3.0 or
maybe 4.0 with PAM disabled.

> One can try porting the BSD Auth code from OpenBSD.  I have not yet tried
> that myself.

That occured to me too, only I'm not sure it'll be easier than the solution
above. Either way, there's no guarantee things will work. So I'll try both
approaches and see what happens.

> Lame excuses were given that somehow BSD Auth could be implemented as a PAM
> module after PAM was fully integrated [...]

Uh, you are just kidding, right? BSD Auth as a PAM module?!

Best regards

Home | Main Index | Thread Index | Old Index