Subject: Re: "BSD Authentication"
To: None <seebs@plethora.net>
From: Todd Vierling <tv@pobox.com>
List: current-users
Date: 11/24/1998 11:55:09
On Tue, 24 Nov 1998 seebs@plethora.net wrote:

: In message <Pine.NEB.4.05.9811232246280.26398-100000@duhnet.net>, Todd Vierling
:  writes:
: >I am running on the assumption that bsdauth contains *one* main function: an
: >affirmative/negative response to the question "will you authenticate this
: >user for a login session with these credentials?".  If this assumption is
: >wrong, would someone please stand up and explain the BSD Auth system in a
: >little more technical detail?
: 
: Hmm.
: 
: I'll just include the 'low level' man page; there's also a higher-level
: interface, but this is the one that has all the weird features.

Actually, the APIs seem *similar*, but BSD Auth gives more information about
the infrastructure of the authentication (with things such as
AUTH_CHALLENGE), and PAM does everything in one step, deliberately
concealing the authentication used to the caller.

AFAICT, PAM does have some incompatible modes of operation.  That means that
they are unfortunately not "stackable" - you can't implement one API on the
other without losing some information.  However, you can implement one on
the other if you are willing to channel multiple actions into one function
call in each case.

The ABI is a different issue.  Both module ABI backends appear to be
workable with either API frontend.

-- 
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)