PAM Service Name Patch

Jim Knoble jmknoble at jmknoble.cx
Tue Apr 17 08:40:55 EST 2001


Circa 2001-Apr-16 15:36:09 -0500 dixit Mark D. Roth:

: On Mon Apr 16 22:08 2001 +0200, Kevin Steves wrote:
: > On Sat, 14 Apr 2001, Mark D. Roth wrote:
: > : > I've attached a patch relative to OpenSSH 2.5.1p1 which sets the
: > : > default PAM service name to __progname instead of the hard-coded value
: > : > "sshd".
: > 
: > did we agree that there were no security issues with that patch?  i
: > think so, and i don't see any problem with it.
: 
: IIRC, no one identified any problems with it, so it should be good to
: go.

If i recall, there were concerns voiced that a local user would be able
to create a link to sshd using a different service name which would be
handled by a more lenient PAM configlet (such as 'other').

I believe the response was that that didn't really matter, since local
users would have to have privilege to begin with in order to run sshd
such that they could take advantage of the link to gain privilege.
Chicken-and-egg.

Anyone else remember differently?

-- 
jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010416/483ee978/attachment.bin 


More information about the openssh-unix-dev mailing list