In message <Pine.NEB.4.05.9811222033070.26398-100000@duhnet.net>, Todd Vierling
 writes:
>I suppose I misunderstood somewhat - I was thinking that login_whatever(1)
>was a program chosen by login(1) to be exec()d in its place.  In that case,
>it sounds as if these are servers for a particular type of database.

Somewhat like, yes.

>PAM is similar, but doesn't require communication with a server (or
>"middleman server", in the case of things like YP or SQL or radius).  The
>code is run in the space of the process doing authentication, via a shlib.

Okay, that's a difference.  I'm not sure which way I prefer it.  As it stands,
I'm pretty sure they're both fairly secure (I assume PAM does sanity checks
on .so's before using them), and there doesn't seem to be much of a
performance hit for BSDA, that I'm aware of.  I do sort of like the fact
that an authentication thing can be sh or perl.  ;)

-s