On Fri, May 23, 2003 at 09:41:09PM +0200, Dag-Erling Smorgrav wrote: > Ruslan Ermilov <ru_at_FreeBSD.org> writes: > > Why pam_nologin in the "auth" chain of the "login" service is marked > > "required" and not "requisite", and why do we have the "required" at > > all? What's the point in continuing with the chain if we are going > > to return the failure anyway? What's the real application of > > "required" as compared to "requisite"? > > Information leak. The applicant screwed up, but we don't want to let > him know that until he's jumped through all the *other* hoops as well; > otherwise he might learn something about our authentication setup from > the premature error message. > Works for the generic case, but not for this particular example. Just run "shutdown -k now" locally, and watch how funny the login session looks. I don't think we're leaking something here. ;) Hm, or maybe this is just the problem with pam_nologin(8) not respecting the "no_warn" option? Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru_at_sunbay.com Sunbay Software AG, ru_at_FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC