* Tim van Erven <[EMAIL PROTECTED]> [020506 16:02]:
> > I rather think ssh should check also earlier for root
> > and not even call PAM when root login is not permitted
> > and someone tries to log in as root.
>
> This will reveal that root login is never permitted. Probably no big
> deal, but it would be nice if it could be avoided.
If it waited some time for itself, then a possible difference between
PAM's waiting time and ssh's waiting time would hard to be detect,
as root may cause other waiting times than other accounts in PAM.
And I prefer, if people know that I let not ssh in, than that they
may be able to check for the root-password.
> I disagree. By that reasoning it would be even better if OpenSSH
> double-checked all of PAM's work. That would add bloat to ssh and
> possibly even introduce new security problems. If you're going to rely
> on PAM, you should rely on PAM.
Thats why I talked about "resonable" security checks. Duplicating all
of PAM's functionality would be bloat. Disenabling possible security
problems by early disabling root seems reasonable to me.
Hochachtungsvoll,
Bernhard R. Link
--
The man who trades freedom for security does not deserve
nor will he ever receive either. (Benjamin Franklin)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
