Subject: Re: PAM
To: Gary Thorpe <>
From: Greg A. Woods <>
List: current-users
Date: 09/23/2002 16:24:30
[ On Monday, September 23, 2002 at 15:00:35 (-0400), Gary Thorpe wrote: ]
> Subject: Re: PAM
> You're right, I was thinking more of kernel modules
> (which are even more EviL and BaD).

If kernel modules are evil and bad, then for many of the same reasons so
are any dynamic-loaded code in any privileged process.

> Regardless, PAM is
> easier: build/download new modules, copy new modules
> to a directory. No recompile, no restarting. Which is
> less time-consuming?

I fail to see any difference between this and installing new
authentication schemes in static-linked programs.  Build and/or download
new modules.  Copy new modules to the appropriate directories.

"build" == "compile" -- so only a difference there if you want there to
be one.  Nobody types more than "./configure; make" anyway, so it really
doesn't matter how much happens behind the scenes or what gets (re)built.

Properly designed software, i.e. software explicitly designed for
high-availability environments, auto-restarts without losing state.  So,
only a difference there if use poorly designed software (yes, NetBSD
does currently fit in this category for this requirement).  In any case
most of the programs needing new authentication modules don't run all
the time anyway so don't need restarting in the first place, and almost
all of the rest can be restarted (automatically even) with no impact on
existing connections.  The only tricky one is 'init', and it's really
not that tricky at all -- just a S.M.O.P., and it's likely VERY rare it
would need new auth services at runtime anyway, only at reboot time and
since you're restarting init by definition at reboot, well, ....

Other than that I fail to see any significant differences that would
make PAM any "easier" or less time consuming.

To me it seems straight-forward compile-time table driven methods are
much simpler and thus much more reliable and thus much less time
consuming for all involved.

Nice fašade to your argument I suppose, but not much of substance behind
it!  :-)

Indeed if one were to "do" PAM "properly" it would be a _lot_ harder for
some people, and only marginally easier for a tiny fraction of users who
would actually make use of the feature.  Everyone else would just be
along for the ride, and if you're going to do things that way then does
it really matter that much to you what you're riding on?

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>