Subject: Re: PAM
To: None <email@example.com>
From: Dan Melomedman <firstname.lastname@example.org>
Date: 09/25/2002 15:51:56
Jim Wise wrote:
> Wow. You only log into your system using /usr/bin/login? Cool.
> Many other people want the ability to compile authentication into a wide
> range of existing programs. Can you explain to use how an apache module
> could use exec chaining for authentication?
I use login as an example, and you know it. Could easily fork
/exec an authenticator which would return ok, fail, etc. But why Apache
anyway? Its modules are already written to use SQL, LDAP, etc. As I
said, if software already supports a type of external authentication which
I'd need, I'd gladly use it. If however, a system administrator desires
to authenticate real system accounts, the picture is very different.
Authentication is actually the easier part, heck, I'd write the common
utility replacemenst myself if I was forced to.
If however, there was a _simple_ framework, administrator would only
write a simple authenticator module. I fail to see how writing PAM modules is
trivial, whereas with exec chains things really could be trivial for a
NSS is a whole different story. changing where getp* finds its information
is not so straight-forward, same for NSS APIs.
Bottom line - PAM isn't the only way to do it.