Subject: Re: "BSD Authentication"
To: Ted Lemon <mellon@hoffman.vix.com>
From: Chris Jones <cjones@rupert.honors.montana.edu>
List: current-users
Date: 11/23/1998 16:47:43
>>>>> "Ted" == Ted Lemon <mellon@hoffman.vix.com> writes:
Ted> What I would say is a good measure of whether or not to
Ted> incorporate PAM or the BSD/os code is:
Ted> - Do we need this functionality at all?
My vote is yes. In my mind, classical /etc/passwd authentication is
not sufficiently secure in a networked environment, where packet
sniffers are getting easier and easier to run. The world hasn't
settled on a single, standard system for secure networked
authentication. That may actually be a good thing -- hybrid vigor and
the robustness of a heterogenous system.
At my previous job, we had a decade-old DECStation as the main
server. After I blessed it with an upgrade from Ultrix to
NetBSD/pmax, I was lucky enough to be responsible for installing
Kerberos on it. That meant login, ftpd, telnetd, popd, imapd,
xautolock (via xlock), rsh, and others which I can't remember right
now. It would have been *wonderful* if I could have just installed a
PAM or BSDAuth module, spent a day tweaking config files, and had
everything working. As it was, I spent months finding source for old
programs so that I could hack kerberos support into them and
recompile.
Ted> [...] I don't think anybody's identified
Ted> a customer for this feature, although several people have
Ted> individually said that they would like it. Who is the customer
Ted> for this?
My prediction is that "new" (meaning "newer than /etc/passwd
validation") authentication methods are going to become more and more
common, due to several factors:
* Networks are becoming regarded as insecure.
* More and more malicious people are getting online. (Maybe not
proportionally, but certainly in absolute numbers.)
* PAM is out there, and people think it's cool, so they're going to
want to play with it.
On the other hand, moving to "new" authentication methods could be
slowed by export restrictions. Not many people enjoy writing code
that isn't exportable.
Chris
--
-----------------------------------------------------cjones@math.montana.edu
Chris Jones cjones@honors.montana.edu
Mad scientist at large cjones@nervana.montana.edu
"Is this going to be a stand-up programming session, sir, or another bug hunt?"