On 09/21/12 23:12, Stuart Henderson wrote:
On 2012/09/21 03:09, Alexander Hall wrote:
This is annoying, as it requires you to set auth=... and then explicity
close any services you don't want to expose, like "auth-ssh=" etc.
Obviously, this could very well lead to an incomplete list of disabled
services, causing all sorts of discomfort for the user and/or system
administrator.
With the example it makes a lot more sense, however I think this ought
to go upstream so it can be documented in the wiki, this way of using
login.conf is new to me and I suspect quite a few other people.
Now I know what it's for, I certainly wouldn't object to adding it
as a patch once it's in upstream.
I am not one of the people living in the unix world since the epoch, but
I'd say this is how it's supposed to be used. So documenting it in
detail in every place using bsd auth is maybe not the way to go. Now,
we're talking about the specific documentation of dovecot, so I'd guess
it could make sense there.
Anyway, would we need a patch if it's in upstream? Or do you mean it
gets in in the trunk but not in the version we're having?
This diff introduces "auth-$service" as type, allowing stuff like this
in login.conf:
When I was reading login.conf(5) to work out what this does before
you sent your followup mail, I was confused between "service type" and
"authentication type", so I would explicitly use the term "authentication
type" rather than just "type" in any documentation.
Yeah, it's quite useful actually being able to pinpoint which services
to allow. I'd say using auth_userokay() _without_ a service can be quite
bad in a security perspective, cause you might end up allowing more
services than you intended.
/Alexander
