[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pam-list
Subject:    Re: Su doesn't work with pam-0.56
From:       Raul Miller <rdm () rdm ! legislate ! com>
Date:       1997-02-26 16:26:17
[Download RAW message or body]

Han Holl:
> And here again the communication with the user is confusing as well:
> su: password incorrect
> is misleading, because it's so specific.
> su: permission denied
> would be an improvement.
> su: only members of 'wheel'group can su to root
> would be just great.

This reminds me of some of the "fun" I've had diagnosing
authentication problems on high security systems.

While some people will argue that knowing what security mechanism you
tripped up against should itself be privileged information, it's also
true that to have good security you need to audit the security
mechanisms.

It's too easy, in a deployed system, to disable some critical piece of
security under the mistaken idea that it's preventing users from
accessing the system.

[I've not looked at pam to see if it will give a trace of which
mechanisms are being checked against, with success/fail.  Presumably
it's in there -- if not, here's a red flag.]

-- 
Raul

[prev in list] [next in list] [prev in thread] [next in thread]