Subject: Re: PAM enabled on head
To: None <hubertf@gmx.de, current-users@NetBSD.org>
From: Christos Zoulas <christos@zoulas.com>
List: current-users
Date: 03/07/2005 23:17:29
On Mar 8,  2:57am, hubertf@gmx.de (Hubert Feyrer) wrote:
-- Subject: Re: PAM enabled on head

| In article <20050228024050.2E84C2AC98@beowulf.gw.com> you wrote:
| > Starting with your next build, most programs that perform authentication
| > will be using PAM: login, su, xdm, ftpd, telnetd, ppp, etc. This will
| > allow us to use other authenticators such as radius, plus provide a
| > consistent authentication mechanism for all programs that need it.
| 
| Can you comment on how different out implementation is from FreeBSD, IOW: 
| Does http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/ apply for 
| NetBSD as well?

We have changed PAM to fail closed. I.e. a missing PAM configuration will
default to fail authentication as opposed to allow it. We are still
thinking of adding even more strict checks in the authentication path, so
that incorrect configurations will not default to allow someone access.

christos