incomplete/insufficient logic for making access decisions
Darren J Moffat
darrenm at eng.sun.com
Sat Mar 23 05:41:12 EST 2002
On Mon, 18 Mar 2002, Frank Cusack wrote:
> I'd agree, this sounds like a reasonable (possibly even good) thing to do.
> You'd have to delay PAM startup until a non-PAM auth started (if you used
> PAM auth you'd have to end it and restart it -- ugly and not worthwhile).
>
> Something like
>
> # Account service to use for non-PAM authentication. When using
> # PAM auth, this is always "sshd". When using non-PAM auth (eg rsa)
> # the configured service name is used. Can contain %a which is
> # substituted with the auth type. Default is "sshd".
> PAMAcctService sshd
I very strongly disagree with this. As one of the "keepers" of PAM
at Sun (the original author) this is the wrong thing to do. Doing this
increases the complexity of the administration.
There is a better mechanism for doing this in Solaris but it is not yet
public - we are in the process of doing this just now. I believe it
solves the issue.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list