Mark D. Baushke wrote:
> The biggest problem I have with PAM support for gnatsd is that you
> will now be sending a credential across the network in the clear which
> is presumably able to be used as a credential outside of gnats. This
> could lead to a simple password replay attack to gain access to
> systems by unauthorized individuals or their agents.
> 
> I strongly urge you to first include and enable SSL (or TLS) support
> in gantsd before you allow PAM to be used to authorize connections.

Agreed. This is definitely something that should get on the TODO list
for gnatsd.  Alternatively, there are ways of tunneling TCP connections
over secure channels, so I don't think the lack of gnutls integration
should exclude the PAM patch.

We should make it abundantly clear in the documentation that use of PAM
authentication should be thoroughly protected.  If such measures cannot
be taken, don't enable PAM.

-- 
Chad Walstrom <chewie@wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */