In message <199811231555.KAA01374@grosse.fugue.com>, Ted Lemon writes:
>	- Do we need this functionality at all?

Probably not, but it might make new authentication styles a lot easier.

>	- What are the strengths of PAM?
>	- What are the strengths of the BSD code?
>	- Of these, which are relevant to us?

That's one that can be argued only by people who've used both.

>If we do decide that we want to do it, we should carefully consider
>the pros and cons.   How does adding this code affect the
>configurability of NetBSD?

I can't speak for PAM, but the BSD Authentication scheme allows for a huge
number of configuration tricks, like accounts which can log in only during
certain hours.

>How easy is it to misconfigure the code?

Fairly easy, but most of the obvious errors are diagnosed.

>How much easier is it to configure new authentications schemes?   How
>will these configurable authentication schemes be used in practice?

I would guess that most of them would be wrappers on other schemes, but
a few would be brand-new schemes.  The feature is that you can set up
a system where most accounts use regular passwd authentication, but a
few special ones use the new scheme you're testing.

>Is there a customer for this functionality?   From that customer's
>perspective, is PAM better than BSD/os?

No clue.  ISP's could use this feature - I know, because I'm using it to
create a custom app for an ISP, that would not be practical without something
like BSD/OS.

>My general impression at this point is that PAM is a lot easier to
>configure than BSD/os.   Can people confirm or counter that
>impression?

Never tried PAM.  I know that it took me all of ten minutes to write a trivial
"wrapper" authentication scheme that imposes some additional limits on regular
RADIUS authentication, using the BSD Authentication scheme.

>Having said that, I don't think anybody's identified a
>customer for this feature, although several people have individually
>said that they would like it.   Who is the customer for this?

I think one of the main uses would be larger networks which want to do more
significant authentication services.  The ability to drop in wrappers on
schemes is very nice.  I'm not sure how PAM does that.  Does anyone know
how, using PAM, you'd generate a scheme which was {in business hours,
use this other scheme, otherwise, reject}?

One other thing I've noticed is that I think either can be used to implement
the other.  So, we might do both, just from a "make things easy for lots of
admins" standpoint.

I like the fact that BSD Authentication can allow non-setuid programs to
perform authentication checks that need root privs.  I also like the fact
that catastrophic failures in authentication schemes have no effect on the
program running them.

-s