Re: BSD Auth

To: NetBSD Security Discussion List <tech-security%NetBSD.org@localhost>
Subject: Re: BSD Auth
From: SODA Noriyuki <soda%sra.co.jp@localhost>
Date: Tue, 19 Aug 2008 13:23:30 +0900

>>>>> On Mon, 18 Aug 2008 14:12:10 -0400,
        "Greg A. Woods; Planix, Inc." <woods%planix.ca@localhost> said:

> Previous discussions resulted in nothing really and PAM was blasted
> into the tree without taking into account any technical
> considerations.

Such summary is unfair.

From some points of view, PAM is more secure than BSD Auth, and that
was one of reasons why PAM was choosed.

With PAM, password attack can be only done via programs who already
own root privilege.  With BSD auth, anyone can do password attack.
For practical example, "pkgsrc/security/pam-pwauth_suid" implements
restriction that a user can try only his own password.  BSD auth opens
wider window against such attack.


Another reason is that some features like Kerberos credential handling
cannot be implemented by BSD auth.
-- 
soda

Follow-Ups:
- Re: BSD Auth
  - From: Greg A. Woods; Planix, Inc.

References:
- Re: BSD Auth
  - From: Greg A. Woods; Planix, Inc.

Prev by Date: Re: BSD Auth
Next by Date: Re: BSD Auth
Previous by Thread: Re: BSD Auth
Next by Thread: Re: BSD Auth
Indexes:

Home | Main Index | Thread Index | Old Index