In message <20001110073909.J435@dr-evil.shagadelic.org>, Jason R Thorpe writes:
>PAM has the problem of requiring dynamic linking everywhere, and also
>doesn't, the last time I checked, have a nice way to specify the order
>of what auth methods are tried ... maybe I'm wrong on this one.

Mostly, it's fundamentally insecure.

>The NetBSD approach is, judging from the last discussion I participated
>in regarding it, going to be an auth daemon with an API to contact it.
>That auth daemon can also perform cacheing.

This is an interesting thing to think about.  Has anyone looked at the
"BSD Authentication" stuff in BSD/OS?  I would like to put in a vote for
as much compatability as can sanely be provided.  BSD/OS doesn't use a
daemon for it, but nothing would stop the same API from going through a
daemon, in principle.

BSD Authentication uses a set of libc functions that pass authentication
requests off to programs with names like /usr/libexec/login_passwd or
/usr/libexec/login_radius.  There's a spec for how the programs are
written; the useful thing is you can write a trivial and correct program
for "do passwd auth, but reject outside of business hours" in about 10 lines
of shell.

On the other hand, a daemon sounds interesting.  Is anyone working on this?
If so, if you have any interest in a cooperative effort with the BSDi side,
drop me a line, I would like to see the systems have similar-to-identical
code, because it would make my life easier.  I'd like to see more cooperation
between the two best-engineered systems I am aware of.

-s