Re: Patch to include PAM support...

On Tue, 12 Jun 2001, Bruce Momjian wrote:

> > Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > > I know there was concerns about blocking but is that problem any more so
> > > than other interfaces we already support?
> >
> > We don't need to make it worse. We've already had trouble reports about
> > postmaster hangups with broken IDENT servers; PAM will hugely expand the
> > scope of potential troubles. Can you say "denial of service"?
>
> Does it really? You are saying PAM can make "denial of service" attacks
> even easier than ident?

If anything, then "possibly as easy as ident" - but that's a worst case
scenario. And the reason for that is because they both potentially use
outside server/services. PAM doesn't _have_ to authenticate into external
devices, the LDAP example is just an example from my/our situation. You
could use PAM to authenticate into the local system password file, and/or
use it to create user limits (Only 3 connections per user, as example..)

> If it is the same risk, I think it is OK, but if it is worse, I see your
> point. (I don't know much about PAM except it allows authentication.)

My apologies if PAM has somehow been equated to "remote server
authentication piece" - there is a lot more to PAM than the abillity to
easily do remote authentication.

http://www.kernel.org/pub/linux/libs/pam/whatispam.html
http://www.kernel.org/pub/linux/libs/pam/FAQ

--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/