In message <200011102005.eAAK5Ie17590@saruman.ics.muni.cz>, Jarom r Dolecek wri
tes:
>Neat :) I like the idea of separate program for doing the authentication and
>I like that this doesn't require the caller to load the authentication
>as shared object. Separate process, no way to cause side-effects
>in the caller process.
>I think the BSD Authentication is the right thing to use.

It is *very* slick.  It has the nice feature that an authentication method
that needs setuid can, at the programmer's option, be made setuid but
executable by everyone else - so a non-setuid program can authenticate.

BTW, almost all of the code for it is available for use in *BSD; the only
thing we haven't opened up is the specific login_passwd, etc., programs.
I believe that at least one of login or su is available, for instance.

>It would probably be good if we use PAM API where possible, though.
>The PAM API to use would probably be primarily compatible with FreeBSD,
>Linux and Solaris (not necessarily in this order).

It wouldn't hurt to have support for the PAM API, but I think the BSD
Authentication API is a lot cleaner.  I'm not entirely sure that PAM will
"win" in the end in FreeBSD, as the engineering groups start talking to
each other.  I certainly hope we can deprecate it, at the very least.

-s