On Tue, Aug 27, 2002 at 05:13:11PM -0700, Bill Studenmund wrote:
> On Wed, 28 Aug 2002, Noriyuki Soda wrote:
> 
> > >>>>> On Wed, 28 Aug 2002 00:42:00 +0900, itojun@iijlab.net said:
> >
> > > > 	* PAM modules
> > > 	a bit off topic: was it decided to introduce PAM?
> >
> > It isn't decided, yet, as far as I know.
> 
> I don't think it's been decided yet. I suspect we'll need to support both.
> 
> > >	I don't like PAM,
> > > 	and I prefer BSD auth.  (i remember soda-san didn't like BSD auth
> > > 	for additional setuid binaries, but i think the benefit overweighs
> > > 	the addition of setuid binaries)
> >
> > As you know, I don't like BSD auth.
> > Because:
> > - IMHO, it's less secure than PAM.
> >   One of this reason is additional 10 set[ug]id binaries in BSD auth.
> >   But I have other things to worry about BSD auth.
> > - BSD auth cannot correctly handle authenticaion methods which need to
> >   modify process status for authorization (like some kerberos
> >   implementation).
> 
> This latter reason is why I think PAM is the one we should do first. You
> can build BSD auth on top of PAM much easier than you can do the reverse.
> There are some fundamental things, like AFS tokens, that BSD auth just
> can't do.

What of SASL? http://asg.web.cmu.edu/sasl/
Isn't that yet one layer down, so you write your application to use libsasl
and it uses pam/?bsd auth? etc?

Patrick