Subject: Re: Philosophy of PAM and rc.d
To: NetBSD-current Discussion List <current-users@netbsd.org>
From: Roger Brooks <R.S.Brooks@liverpool.ac.uk>
List: current-users
Date: 03/18/1999 16:23:38
On Thu, 18 Mar 1999, Greg A. Woods wrote:

>[ On Wednesday, March 17, 1999 at 22:08:02 (-0800), dustin sallings wrote: ]
>> Subject: Re: Philosophy of PAM and rc.d
>>
>I personally don't at all like the idea of having "pluggable"
>authentication or authorization modules.  It scares the willies out of
>me.  /etc/nsswitch.conf is more than flexible enough, even if it's not
>100% fleshed out with fancy things like RADIUS and LDAP yet.  At least
>with nsswitch I have a 100% guaranteed single place to disable all the
>risky schemes and force everything to use local files, etc.

But PAM and nsswitch are _not_ two solutions to the same problem.
nsswitch lets you decide where getpwnam et al get their data from:
files, nis, nisplus (don't laugh - we use it) or some other repository
which you invent yourself.  Using nsswitch means you can add a new
repository without having to recompile any existing programs or libraries.
You just have to provide a shared object library which implements the
backend code to access your new repository.  With nsswitch your encrypted
passwords are as secure as a local shadow file (or NIS+).  However,
nsswitch won't let you get away from the scheme: password file/map
contains encrypted password, user types in plaintext password which
is encrypted and compared.

If you want some other kind of authentication (Kerberos, smartcard,
fingerprint scanner, urine analysis or whatever) an non-PAM system
requires that you hack everything which usually prompts for a password
(login, su, ftpd, xdm etc).  Under PAM, it isn't login which prompts for
the password -- it's code in pam_unix.so.  If you're using some other
type of authentication, another module will tell the user to insert
the smartcard, pee in the urine analyser or whatever.  The Solaris PAM
implementation allows you to use more than one type of authentication
(e.g. smartcard + password, and if you don't have a valid smartcard
you don't even get prompted for the password).


Roger

------------------------------------------------------------------------------
Roger Brooks (Systems Programmer),          |  Email: R.S.Brooks@liv.ac.uk
Computing Services Dept,                    |  Tel:   +44 151 794 4441
The University of Liverpool,                |  Fax:   +44 151 794 4442
PO Box 147, Liverpool L69 3BX, UK           | 
------------------------------------------------------------------------------