tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BSD Auth

On Tue, Aug 19, 2008 at 11:37:25AM -0400, Greg A. Woods; Planix, Inc. wrote:
> Also, way back in 1998 David Holland wrote the following about the 
> fallacies of poor screen lock program design:
> [...]
>     What about passwordless accounts where you get access via .shosts or
>     ssh keys or weird site-specific systems? Even if you use PAM, some of
>     these just plain won't work with xlock. Of course, this in itself
>     doesn't mean that people who have login passwords and want to use them
>     shouldn't, necessarily, but I really don't see that typing an 8-letter
>     word is a big strain.

For the record, the latter means "typing in an unlock password when
locking the screen", the same way lock(1) works.

However, in a broader context, this doesn't matter. There are also
other window-system programs that really do need to be able to check
passwords, such as xdm. Many of them have had security issues over the

PAM has a number of more fundamental problems than the lack of
privilege separation; however, as I recall bsdauth isn't really a
credible alternative, nor for that matter does it really address those
problems properly.

A real solution will, among other things, not require getty and login
to run as root. This solution does not currently exist.

David A. Holland

Home | Main Index | Thread Index | Old Index