current-users: Re: PAM

Subject: Re: PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/25/2002 17:05:19
Jim Wise wrote:
> But that's just it -- even the base system includes a wide range of
> applications beyond /usr/bin/login which log users in in one way or
> another (think ssh, ftp, rsh, telnet for starters), and it is difficult
> to see rewriting all of them to fit exec-chaining into their logic.

Is it difficult to see all those rewritten to use PAM? OpenSSH can use
login, BTW.

> 
> So, to be clear, your opinion is that each third party application which
> uses authentication should provide its own custom module interface, and
> its own modules for every possible authentication system which might be
> used?  Keep in mind that some transactions which can quite happily use
> PAM (such as database access or http authentication) are rather
> difficult to map to an exec-chaining method...

My opinion is if the interface is already provided by some software, may
as well use it. But the generic OS utilities interface for
authentication from external sources should be simple. Writing PAM
modules is too much overhead. Look at pam_ldap - huge. While an LDAP
checkpassword takes a page of code to write.

> Certainly true, but it's a well defined, and already-existing (and
> standardized)  way of doing things which a lot of third-party software
> we want to provide already supports.

Standardized? Also, which software in particular would you like to see
supported? Again, just because PAM will benefit a few people doesn't
mean the rest should deal with, or rely on it. Unless this can be
somehow avoided, everything which needs authentication will need to be
rewritten for PAM.

Personally, I am more concerned about NSS-related functions. Writing
simple checkpassword authentication modules and login utilities is trivial
if you're required to do it. However, I fail to see how to easily let getp*()
functions pull from an external source. How can this be now done in 
FreeBSD/NetBSD? Right now NSS is built into the C library. How can it be
modularized? What do I do for LDAP authentication? Link LDAP libraries
into libc? Use LD_PRELOAD? Not too flexible - is it?