>> >	- Do we need this functionality at all?

Hmmm do we really truely _need_ any of the facilities in the OS?
As for PAM, I would one would use it.

I have added s/key, TIS authsrv, X.509,... authentication to tools
like ftp, login, su, telnetd and even mountd!  I would find it _very_ 
attractive to simply use pam_*().

Since I use NetBSD as my primary dev system - with a view to then 
porting to Solaris etc (whatever my customers have) having PAM on
NetBSD is a win.  So if you want, you can call _me_ your customer
for this functionality.  I'll even do it myself (if no one is 
in a hurry :-)

>This is very abstract.   Can you say how you, specifically, would use
>it, or how somebody you specifically know would use it?   I really
>think you should be able to answer the question "what are you going to
>do with this" with a clear, specific answer before you can claim that
>it should be integrated.

I would modify login, su, ftpd, telnetd and possibly even snfsd,
SSLrshd etc  to use PAM.  Not to mention my firewall proxies.

>write.   WRT authentication in particular, making things possible that
>weren't previously possible isn't *necessarily* a good thing.   This
>isn't a path on which we should embark lightly.

I agree.  For my own systems I tend to just use X.509 certs for 
authentication and most of my cusomers are happy with that too,
but some would like to use radius instead/as well - I would 
prefer to be able to say to said fork "compile with -DUSE_PAM and
you can do what you like".  Now I _could_ follow that path
without having PAM available on NetBSD, but I would prefer to 
be able to test it myself - and for building firewalls on
NetBSD I may even use it.

As I said earlier - I don't mind if BSDAuth is the underlying mechanism,
but it is the PAM API that I would want to write to.

--sjg

>			       _MelloN_