On Tue, Feb 12, 2019 at 09:15:39AM -0500, Jens John wrote: > On Tue, 12 Feb 2019, at 12:02, Leonid Isaev via arch-general wrote: > > I am sorry to ask this so late in the discussion, but why Arch default of the > > "other" module was insecure (and hence why the change)? Is there something > > wrong with pam_unix? > > Not inherently. They implemented a suggestion from the upstream product > manual and decided that it was OK to break random [authentication related] > packages instead of fixing the reverse deps from official repos first and > then changing pambase. > > Either package maintenance responsibilities are really as fragmented as not > to care at all or they just ignored it. Given that falconindy is the > maintainer of pambase, I'll go with the latter interpretation (no judgement > implied). There is no problem with using upstream defaults (so I personally support the change to the pambase package), and I think that ppl should just fix their stuff to properly work with PAM. But I still don't understand why using pam_unix.so was called permissive policy... Thanks, -- Leonid Isaev
