On the whole I agree with most of what
der Mouse writes:

>On the nontechnical side, it seems that PAM is beginning to become a
>de-facto standard.  I'm not sure how much weight should be given to
>that; if we go for "de-facto standard", we should just support Windows
>DLLs and be done with it.  One of the things NetBSD is about, as I
>understand it, is technical excellence.

Hmm, I agree that popular does not imply good (though I'm not sure
anyone actually thinks Win/* is any good), but if an API exists which
is not totally broken then there is benefit in supporting it - this
applies to PAM and BSDAuth, and does not mean you can't do something 
"better", but you'd need to have some way good reasons to implement
something like this and not provide compatability API(s).

>> [PAM] certainly simplifies a lot of development for portable
>> applications.

>How?  Building shared objects is system-specific magic on every system
>I know of that has them....

That's the PAM implementation side not the client side.
User's of PAM just need to (according to pam(3) on Solaris)

#include <security/pam_appl.h>

and call pam_*() and leave the authentication choices up to the 
OS/sysadmin - sounds ideal to me.

Presumably BSDauth can do the same.

>* When linked static, dl_open() can't work unless/until we redo our
>   dynamic linker as a .a library for use by such applications.  (In my
>   mind, doing this defeats much of the purpose of linking static; when
>   I link something static I usually do it because I want a completely
>   self-contained executable.)  BSDAuth wins here.

It _may_ be possible to do a pam_*() in a .a which just ended up 
fork/exec'ing a process that could then do the dl_open() the trick would
be chosing which ones to make stubs and which one to do the fork/exec in.
You would then have a PAM compatible API and the same "benefits"
as BSDauth.

In fact you could have a PAM method that used BSDauth :-)

I'm not saying one is better than the other.  I do know that I
would write to the PAM API to maximize the re-use of my code/effort.
That does not mean that I would mind if PAM were implemented on
NetBSD using BSDauth.

--sjg