[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: BSD Auth
On Tue, Aug 19, 2008 at 11:37:25AM -0400, Greg A. Woods; Planix, Inc. wrote:
> Also, way back in 1998 David Holland wrote the following about the
> fallacies of poor screen lock program design:
> What about passwordless accounts where you get access via .shosts or
> ssh keys or weird site-specific systems? Even if you use PAM, some of
> these just plain won't work with xlock. Of course, this in itself
> doesn't mean that people who have login passwords and want to use them
> shouldn't, necessarily, but I really don't see that typing an 8-letter
> word is a big strain.
For the record, the latter means "typing in an unlock password when
locking the screen", the same way lock(1) works.
However, in a broader context, this doesn't matter. There are also
other window-system programs that really do need to be able to check
passwords, such as xdm. Many of them have had security issues over the
PAM has a number of more fundamental problems than the lack of
privilege separation; however, as I recall bsdauth isn't really a
credible alternative, nor for that matter does it really address those
A real solution will, among other things, not require getty and login
to run as root. This solution does not currently exist.
David A. Holland
Main Index |
Thread Index |