Re: 5.1 beta2 still in trouble with pam_ldap

• Previous message: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• In reply to: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Next in thread: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Reply: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 May 2003 22:49:09 +0300
To: Dag-Erling Smorgrav <des@ofug.org>

On Fri, May 23, 2003 at 09:41:09PM +0200, Dag-Erling Smorgrav wrote:
> Ruslan Ermilov <ru@FreeBSD.org> writes:
> > Why pam_nologin in the "auth" chain of the "login" service is marked
> > "required" and not "requisite", and why do we have the "required" at
> > all? What's the point in continuing with the chain if we are going
> > to return the failure anyway? What's the real application of
> > "required" as compared to "requisite"?
>
> Information leak. The applicant screwed up, but we don't want to let
> him know that until he's jumped through all the *other* hoops as well;
> otherwise he might learn something about our authentication setup from
> the premature error message.
>
Works for the generic case, but not for this particular example.
Just run "shutdown -k now" locally, and watch how funny the login
session looks. I don't think we're leaking something here. ;)
Hm, or maybe this is just the problem with pam_nologin(8) not
respecting the "no_warn" option?

Cheers,

-- 
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine
http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

• application/pgp-signature attachment: stored

• Previous message: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• In reply to: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Next in thread: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Reply: Dag-Erling Smorgrav: "Re: 5.1 beta2 still in trouble with pam_ldap"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... foot in the pedal and the other on the road at anything above 10mph is ... A drive train failure is similar because ... it occurs when pushing hard, with rider CG ahead of the forward foot, ... (rec.bicycles.tech) Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... I have broken cranks and pedals while riding out of the saddle ... foot in the pedal and the other on the road at anything above 10mph is ... a certain fall to the side of the pedal/crank failure. ... (rec.bicycles.tech) Re: 1975 CB750 K5 ... >> Could I replace the chain and sprockets with stouter parts? ... > It's a fun bike, ... guarantee it will stop leaking. ... (rec.motorcycles.tech) Re: Safe to lengthen a chain? ... missing a shift while climbing and dropping the chain. ... Broken bars or forks are a different story. ... foot in the pedal and the other on the road at anything above 10mph is ... a certain fall to the side of the pedal/crank failure. ... (rec.bicycles.tech) Re: Slightly OT: Saab Opinions ... >> I wouldn't have thought turbo failure would be your biggest problem. ... >> Have browse some the SAAB forums for camchain failure! ... With a timing chain, I would normally expect it to ... (uk.rec.cars.maintenance)