[opensuse-factory] securetty still around
Is there a particular reason we still use pam_securetty.so? With `systemd-nspawn -b`, one needs an entry for "console", with `machinectl login`, somehow allowing pts/* as well. The same probably goes for kmscon. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jan Engelhardt wrote:
Is there a particular reason we still use pam_securetty.so? With `systemd-nspawn -b`, one needs an entry for "console", with `machinectl login`, somehow allowing pts/* as well. The same probably goes for kmscon.
Am I understanding that 'PAM' has also been replaced by systemd? besides console, the /etc/securetty file I have has /dev/ttyS[01] vc/[1-6] (and the pts's). What's machinectl? Would it be used to add the above? Any reason why it wouldn't just read the /etc/securetty file and apply permissions dynamically, based on user patterns, criteria and devices present in /dev? I see it used in /etc/pam.d/remote as well as /etc/pam.d/rlogin. rlogin is clear, but what progs use 'remote'? FWIW -- I've found 'rlogin' to be about 3-5X faster than ssh (over a closed/internal network). Similarly, the recently deprecated MD4 algorithm was noticeable faster than other options. Would be nice if 'ssh' had an option for using null encryption on local->local sessions. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2015-01-09 23:41, Linda Walsh wrote:
Jan Engelhardt wrote:
Is there a particular reason we still use pam_securetty.so? With `systemd-nspawn -b`, one needs an entry for "console", with `machinectl login`, somehow allowing pts/* as well. The same probably goes for kmscon.
Am I understanding that 'PAM' has also been replaced by systemd?
We can't mindread, so we do not know if you understand it as such.
What's machinectl?
A utility like xm(1) used to control certain aspects of virtualization guest.
Would it be used to add the above?
No. xm and machinectl are used on the host. The securetty issue occurs in the guest.
I see it used in /etc/pam.d/remote as well as /etc/pam.d/rlogin.
rlogin is clear, but what progs use 'remote'?
Ever bothered to look at the file?
FWIW -- I've found 'rlogin' to be about 3-5X faster than ssh (over a closed/internal network).
I've found DOS to boot significantly faster to prompt than Windows. Does not mean that it is desirable. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jan Engelhardt wrote:
What's machinectl?
A utility like xm(1) used to control certain aspects of virtualization guest.
Would it be used to add the above?
No. xm and machinectl are used on the host. The securetty issue occurs in the guest.
So in a non-vm setup with securetty being used to monitor specify TTY's available for remote login from a client, there is no 'guest', so how would you manage things in a "remote", non-vm setup, wouldn't the pam module still apply (more than one person has noticed the drop in remote compatibility in more recent versions 12.x+ of OSuse, perhaps using 'vm's, predominantly or solely for testing is related to that? Just a thought...
I see it used in /etc/pam.d/remote as well as /etc/pam.d/rlogin.
rlogin is clear, but what progs use 'remote'?
Ever bothered to look at the file?
--- Nope -- doesn't exist:
which remote -bash: type: remote: not found Ishtar:law/bin> man remote No manual entry for remote
FWIW -- I've found 'rlogin' to be about 3-5X faster than ssh (over a closed/internal network).
I've found DOS to boot significantly faster to prompt than Windows. Does not mean that it is desirable.
Sorry, but I have all the same programs and features available using 'rlogin' on a 'closed-network', as using ssh. If you find DOS to provide the exact same features at 3-5x the speed, I suggest you reconsider it. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 01/09/2015 04:41 PM, Linda Walsh wrote:
FWIW -- I've found 'rlogin' to be about 3-5X faster than ssh (over a closed/internal network).
I've found DOS to boot significantly faster to prompt than Windows. Does not mean that it is desirable.
Sorry, but I have all the same programs and features available using 'rlogin' on a 'closed-network', as using ssh. If you find DOS to provide the exact same features at 3-5x the speed, I suggest you reconsider it.
Funny! We also have a requirement to throw terabytes of data around on a closed-network. One of the internal links is 10-GigE, and using old-fashioned rcp instead of scp saves us so much time we measure it in days. Just this afternoon I managed to find the rsh-server rpms for openSuSE 11.3, I need to fold that machine into the network too. Isn't Linux great? But it still might be nice to be able to turn off scp encryption, if desired, without recompiling the server. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Saturday 2015-01-10 01:41, Linda Walsh wrote:
xm and machinectl are used on the host. The securetty issue occurs in the guest.
---- So in a non-vm setup with securetty being used to monitor specify TTY's available for remote login from a client, there is no 'guest', so how would you manage things in a "remote", non-vm setup, wouldn't the pam module still apply (more than one person has noticed the drop in remote compatibility in more recent versions 12.x+ of OSuse, perhaps using 'vm's, predominantly or solely for testing is related to that? Just a thought...
Nah, the presence/absence of a VM does not change the issue. I pondered a bit, and conclude: * /etc/pam.d/remote tells us the file is used by `/bin/login -h`. rsh, being a remote login capability, should invoke that. * Given login(8) apparently uses two distinct PAM service configuration files, /etc/pam.d/login is now purely for LOCAL logins. * In the distribution, we defined local logins to be always secure. Therefore, pam_securetty.so's presence in /etc/pam.d/login is a bug.
I see it used in /etc/pam.d/remote as well as /etc/pam.d/rlogin.
rlogin is clear, but what progs use 'remote'?
Ever bothered to look at the file?
Nope -- doesn't exist:
which remote -bash: type: remote: not found
LOOK AT THE FILE, /etc/pam.d/remote.
Sorry, but I have all the same programs and features available using 'rlogin' on a 'closed-network', as using ssh. If you find DOS to provide the exact same features at 3-5x the speed, I suggest you reconsider it.
When CPU is the bottleneck for network activity in a closed network, that hints to file copying. For which I would consider using rsync:// transport (it is unencrypted) rather than rcp. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Jan Engelhardt
-
Lew Wolfgang
-
Linda Walsh