Subject: Re: Pluggable authentication - PAM/BSD Auth
To: None <current-users@netbsd.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 11/10/2000 14:18:19
In message <200011102005.eAAK5Ie17590@saruman.ics.muni.cz>, Jarom r Dolecek wri
tes:
>Neat :) I like the idea of separate program for doing the authentication and
>I like that this doesn't require the caller to load the authentication
>as shared object. Separate process, no way to cause side-effects
>in the caller process.
>I think the BSD Authentication is the right thing to use.
It is *very* slick. It has the nice feature that an authentication method
that needs setuid can, at the programmer's option, be made setuid but
executable by everyone else - so a non-setuid program can authenticate.
BTW, almost all of the code for it is available for use in *BSD; the only
thing we haven't opened up is the specific login_passwd, etc., programs.
I believe that at least one of login or su is available, for instance.
>It would probably be good if we use PAM API where possible, though.
>The PAM API to use would probably be primarily compatible with FreeBSD,
>Linux and Solaris (not necessarily in this order).
It wouldn't hurt to have support for the PAM API, but I think the BSD
Authentication API is a lot cleaner. I'm not entirely sure that PAM will
"win" in the end in FreeBSD, as the engineering groups start talking to
each other. I certainly hope we can deprecate it, at the very least.
-s