62 messages in org.freebsd.freebsd-securitydisapointing security architecture| From | Sent On | Attachments |
|---|---|---|
| ob1k | Mar 10, 1999 12:46 pm | |
| Janos Mohacsi | Mar 10, 1999 1:46 pm | |
| ob1k | Mar 10, 1999 2:22 pm | |
| Marco Molteni | Mar 10, 1999 3:49 pm | |
| Angelos D. Keromytis | Mar 10, 1999 5:54 pm | |
| Robert Watson | Mar 10, 1999 7:10 pm | |
| Robert Watson | Mar 10, 1999 7:27 pm | |
| Jamie Lawrence | Mar 10, 1999 8:03 pm | |
| Jordan K. Hubbard | Mar 10, 1999 11:38 pm | |
| Wes Peters | Mar 10, 1999 11:58 pm | |
| Michael Maxwell | Mar 11, 1999 12:18 am | |
| Janos Mohacsi | Mar 11, 1999 6:55 am | |
| Cy Schubert | Mar 11, 1999 7:21 am | |
| andrewr | Mar 11, 1999 9:16 am | |
| ob1k | Mar 11, 1999 9:59 am | |
| Robert Watson | Mar 11, 1999 10:43 am | |
| Robert Watson | Mar 11, 1999 10:52 am | |
| mi...@seidata.com | Mar 11, 1999 12:24 pm | |
| give in to your chemical emotions | Mar 11, 1999 1:44 pm | |
| Nicholas Brawn | Mar 11, 1999 2:31 pm | |
| andrewr | Mar 11, 1999 3:33 pm | |
| Marco Molteni | Mar 11, 1999 4:31 pm | |
| Angelos D. Keromytis | Mar 11, 1999 4:51 pm | |
| Andrew McNaughton | Mar 11, 1999 4:51 pm | |
| Archie Cobbs | Mar 11, 1999 9:14 pm | |
| andrewr | Mar 11, 1999 10:08 pm | |
| Matthew Dillon | Mar 11, 1999 10:28 pm | |
| Ludo Koren | Mar 12, 1999 12:30 am | |
| Fernando Schapachnik | Mar 12, 1999 3:43 am | |
| Robert Watson | Mar 12, 1999 5:50 am | |
| Espen Torseth | Mar 12, 1999 6:09 am | |
| Wes Peters | Mar 12, 1999 6:42 am | |
| Robert Watson | Mar 12, 1999 6:56 am | |
| Fernando Schapachnik | Mar 12, 1999 7:09 am | |
| The Unicorn | Mar 12, 1999 7:21 am | |
| Ilmar S. Habibulin | Mar 12, 1999 7:29 am | |
| Coranth Gryphon | Mar 12, 1999 7:36 am | |
| Christopher Petrilli | Mar 12, 1999 7:43 am | |
| Robert Watson | Mar 12, 1999 8:01 am | |
| Wes Peters | Mar 12, 1999 9:04 am | |
| Ilmar S. Habibulin | Mar 12, 1999 9:17 am | |
| Love | Mar 12, 1999 10:17 am | |
| Matthew Dillon | Mar 12, 1999 10:18 am | |
| mi...@seidata.com | Mar 12, 1999 10:32 am | |
| Archie Cobbs | Mar 12, 1999 10:35 am | |
| mi...@seidata.com | Mar 12, 1999 10:56 am | |
| Warner Losh | Mar 12, 1999 11:50 am | |
| Robert Watson | Mar 12, 1999 11:54 am | |
| Matthew Dillon | Mar 12, 1999 4:57 pm | |
| ni...@FERALMONKEY.ORG | Mar 12, 1999 5:50 pm | |
| David Scheidt | Mar 12, 1999 6:32 pm | |
| Matthew Dillon | Mar 12, 1999 7:58 pm | |
| David Scheidt | Mar 12, 1999 8:34 pm | |
| Ilmar S. Habibulin | Mar 12, 1999 10:09 pm | |
| Alan Weber | Mar 13, 1999 5:02 pm | |
| Robert Watson | Mar 13, 1999 5:19 pm | |
| Alan Weber | Mar 13, 1999 6:38 pm | |
| Peter Jeremy | Mar 14, 1999 1:43 am | |
| Wes Peters | Mar 14, 1999 5:49 am | |
| Rodney W. Grimes | Mar 14, 1999 9:42 am | |
| Peter Jeremy | Mar 15, 1999 1:28 am | |
| Jaye Mathisen | Mar 19, 1999 12:48 pm |
| Subject: | disapointing security architecture | |
|---|---|---|
| From: | Janos Mohacsi (moha...@iit.bme.hu) | |
| Date: | Mar 10, 1999 1:46:39 pm | |
| List: | org.freebsd.freebsd-security | |
Dear Fellow FreeBSD Users,
I was quite interested to the security architecture of the FreeBSD 3.1. At the moment I am quite disappointed.
1. The PAM is a good thing but it seems to be integrated only into the login (with authentication). When will be /etc/pam.d for other tools too? Session Management? Account Management (how to cooperate with login.conf)? Password Management? Are there any documentation about
pam_cleartext_pass_ok.so pam_radius.so pam_skey.so pam_tacplus.so pam_unix.so ?
2. What is the /etc/auth.conf? Why is it necessary? Why the /etc/login.conf model (or PAM) for authentication was good?
(login.conf, pam.conf, auth.conf .... confusion.conf ;-)
3. The ideas of the /etc/login.conf was quite good. Wasn't it possible to extend it for management (session, password, authentication)? I think login.conf was quite strong in session and account management with different classification of users. The only missing thing was the sessiontime/idletime and sessionlimit management that could be done with -- idled.
4. The man page falsely advertises that /bin/rcp, /bin/rsh uses /etc/auth.conf. (May be after installing kerberos?)
5. I think some setuid root programs should be restricted to use some groups (removing setuid or execute bit for everyone):
ccdconfig (necessary only for sysadmins) route (Why users wants to change routes?) fstat ( Probably not necessary for an ordinary users) cu (should be restricted for dialer group) netstat, iostat, nfstat, sysstat, vmstat, pstat, timedc, lpc (just for few admin people)
/usr/libexec/uucp/uucico (publicly executable?)
I think about the rule of thumb: fewer public setuids, less security hasard.
6. I think about the password update management: OpenBSD well done it. It could be configured in /etc/login.conf (based on classes). An other point OpenBSD made some steps forward: they have IPSec (PF_KEY v2 !!).
7. Opie (alternate skey): When will be integrated? Opie is part of the system but not integrated into login/telnet/ftp. Will be integrated as part of PAM?
Any comment are welcome.
Sincerely, Janos Mohacsi
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message