Hello Joerg! On Sat, 28 Dec 2002, Joerg Sommer wrote: > > be handy if the user's application wants to do it's own authentication. > > I don't know, if this is a good thing or if you open with this some > security holes. The applications which grant privileges (login, sshd and similar) are run by root anyway, so they are going to be configured by root... An application which grants access to some user's resources is totally under the responsibility of that user anyway. The user already has the total control over her resources and always can (usually "may not", but still can!) give them away. > Better is IMHO, if the admin can include a file into a > file in /etc/pam.d/x, somthing like "$HOME/.pam/x". Why have to create identical pam entries on thousands of hosts, as soon as we set up a new application that needs authentication (like a new xlock-even-more, vnc, any other legitimate user-run interactive service available to untrusted parties)? It is our reality - applications runnable on multiple administration domains, where the administrators do not want to touch their hosts' /etc. > And what is such a application, that want do authentication by its own > way? And what it will do different to /etc/pam.d/x? We could run several instances of the same application (sshd, samba, younameit), even on the same host, with different authentication policies (and different sets of resources available to the processes), for testing, or for different uses, say to isolate student laboration administration from administration of massive computational tasks by the employees... Regards, -- Ivan _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
