Ruslan Ermilov <ru_at_FreeBSD.org> writes: > Why pam_nologin in the "auth" chain of the "login" service is marked > "required" and not "requisite", and why do we have the "required" at > all? What's the point in continuing with the chain if we are going > to return the failure anyway? What's the real application of > "required" as compared to "requisite"? Information leak. The applicant screwed up, but we don't want to let him know that until he's jumped through all the *other* hoops as well; otherwise he might learn something about our authentication setup from the premature error message. DES -- Dag-Erling Smorgrav - des_at_ofug.orgReceived on Fri May 23 2003 - 10:41:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC