Subject: Re: PAM
To: NetBSD-current Discussion List <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/25/2002 13:23:45
Greg A. Woods wrote:
> I think you've been snowed. PAM is no panacea. Perhaps you should talk
> more to those who've actually tried to use it on a variety of
> non-compatible systems. A lot of the problems you say you've been
> struggling with might disappear entirely if a different approach is
> taken.
I agree. It's a pain in the ass to use. Definitely not
administrator-friendly. Confusing organization, config files, and good
luck with debugging. Perhaps people who consider modularity through
loadable shared libraries don't realize the design is still monolithic.
Even if we forget about the loadable modules for a moment, why are the
configuration files so convoluted with all these PAM implementations?
Modules themselves are not standardized and not portable. Right now
Linux is where the PAM and NSS support shines among open Unixes. You'll
find those modules work with Linux only though.
The other question is, why should a system administrator be forced to
use it? Many utilities which use authentication are simply shipped
linked to a PAM library. If you decide to use something else, you are
required to cut the PAM API code out, or rewrite them.
Fixing the problems and not the symptoms will benefit everybody and save
time and resources down the road. On the other hand, just because some
few would benefit from PAM in the near future, doesn't mean the rest
should be prevented from benefiting from a better authentication
framework.