Subject: Re: PAM enabled on head
To: None <current-users@NetBSD.org>
From: Bernd Ernesti <netbsd@lists.veego.de>
List: current-users
Date: 03/08/2005 10:41:46
On Tue, Mar 08, 2005 at 01:07:34AM -0800, John Nemeth wrote:
> On Jul 29,  2:03am, Bernd Ernesti wrote:
> } On Mon, Mar 07, 2005 at 11:17:29PM -0500, Christos Zoulas wrote:
> } 
> } > We have changed PAM to fail closed. I.e. a missing PAM configuration will
> } > default to fail authentication as opposed to allow it. We are still
> } > thinking of adding even more strict checks in the authentication path, so
> } > that incorrect configurations will not default to allow someone access.
> } 
> } So this means that you can no longer login if you don't have an /etc/pam.d
> } or an empty one?
> 
>      If /etc/pam.d is empty then there would be nothing to tell PAM
> which authentication modules to use, so why would you expect it to
> work?  This would be sort of like deleting /etc/passwd.

Comparing it to /etc/passwd is not fair.
It was and is always needed, but PAM was not needed before so you have problems if
you do an update.

So what happens if do an update?

Right now you could update the system without populating /etc before you boot with
the new binaries, ok something could fail, but not in such a major way that you
could no longer login.
Updates of /etc is allways not easy.

I'm not feeling very comfortable with changing the security infrastructure at this
point.

IMHO we need at least same sane defaults if /etc/pam.d doens't exist or contains
not files.

Bernd