[996] in arla-drinkers
Re: PAM and arla
daemon@ATHENA.MIT.EDU (Tim Yardley)
Tue Jul 20 16:50:38 1999
From owner-arla-drinkers@stacken.kth.se Tue Jul 20 20:50:37 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 29141 invoked from network); 20 Jul 1999 20:50:36 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 20 Jul 1999 20:50:36 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id WAA17533
for arla-drinkers-list; Tue, 20 Jul 1999 22:45:47 +0200 (MET DST)
Received: from ex1.ncsa.uiuc.edu (ex1.ncsa.uiuc.edu [141.142.2.9])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id WAA17529
for <arla-drinkers@stacken.kth.se>; Tue, 20 Jul 1999 22:45:42 +0200 (MET DST)
Received: from mx1.ncsa.uiuc.edu (mx1.ncsa.uiuc.edu [141.142.2.8])
by ex1.ncsa.uiuc.edu (8.9.3/8.9.3) with ESMTP id PAA09438;
Tue, 20 Jul 1999 15:45:26 -0500 (CDT)
Received: from pecos.ncsa.uiuc.edu (pecos.ncsa.uiuc.edu [141.142.4.6])
by mx1.ncsa.uiuc.edu (8.9.3/8.9.3) with SMTP id PAA18956;
Tue, 20 Jul 1999 15:45:25 -0500 (CDT)
Date: Tue, 20 Jul 1999 15:45:24 -0500 (CDT)
From: Tim Yardley <yardley@ncsa.uiuc.edu>
Reply-To: Tim Yardley <yardley@ncsa.uiuc.edu>
To: Tobias Schaefer <T.Schaefer@science-computing.de>
cc: Assar Westerlund <assar@sics.se>, arla-drinkers@stacken.kth.se,
kth-krb-bugs@nada.kth.se
Subject: Re: PAM and arla
In-Reply-To: <Pine.SOL.4.02.9907201745480.16331-100000@pollux.science-computing.de>
Message-ID: <Pine.SOL.3.95.990720152400.12489A-100000@pecos.ncsa.uiuc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-md5sum: a76d8c49002767654f787a79faefe187
X-md5sum-Origin: mx1.ncsa.uiuc.edu
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
On Tue, 20 Jul 1999, Tobias Schaefer wrote:
: But I _do_ think that even root's token should be protected by a PAG. If
: this is not possible, every daemon on the system works with this token.
: This is unnecessary at best.
I don't remember the exact reasoning, but if I recall correctly...
Transarc decided that root should not get a pag shell. This was decided
for some security reason, however... I do not recall exactly what it was.
: I'm quite sure this did work with dtlogin for SOLARIS 2.5 / 2.6. (No
: expierience with 2.7 though.)
Yes, it works fine in pre 2.7 solaris versions. However, as to the exact
reason why it no longer works as it is supposed to. There are several
different factors that could be at play. One is that PAM versions changed
between 2.6 and 2.7.. another is that dtlogin changed versions as well.
[yardley@pecos]:[~] which sum
/usr/ncsa/bin/sum
[yardley@pecos]:[/usr/dt/bin] uname -a
SunOS pecos.ncsa.uiuc.edu 5.4 Generic_101945-51 sun4d sparc
[yardley@pecos]:[/usr/dt/bin] sum dtlogin
08002 156
[yardley@wormwood]:[~] which sum
/usr/ncsa/bin/sum
[yardley@wormwood]:[~] uname -a
SunOS wormwood.ncsa.uiuc.edu 5.6 Generic sun4m sparc SUNW,SPARCstation-5
[yardley@wormwood]:[~] sum /usr/dt/bin/dtlogin
43974 158
[yardley@solace]:[~] which sum
/usr/ncsa/bin/sum
[yardley@solace]:[~] uname -a
SunOS solace.ncsa.uiuc.edu 5.7 Generic sun4m sparc SUNW,SPARCstation-10
[yardley@solace]:[~] sum /usr/dt/bin/dtlogin
06499 165
/tmy
-- Diving into infinity my consciousness expands in inverse
proportion to my distance from singularity