current-users: Re: PAM

Subject: Re: PAM
To: Dan Melomedman <dan%dan.dan@devonit.com>
From: Greywolf <greywolf@starwolf.com>
List: current-users
Date: 09/25/2002 16:20:54
To add to the mix,

When trying to set up PAM, I do note that "things which require paths to
modules" are daunting compared to "put this basename here and let it
search the predefined path(s)".

I notice that under Solaris, all sorts of fields are required for each
entry.  There must be a somewhat less complex way of setting up modules
for incorporation.  I haven't played with Linux sufficiently to see how
their PAM works.

One thing I think we NEED to have in there is some method of fallback
in the event that the modload on PAM fails; for login, it would fall
back to "files", for example.  SSH would use whatever method is
preferred for it, and other apps which require auth should fall back
to some pre-compiled method.

In short, a system needs not to be crippled beyond recovery if, for some
strange reason, PAM blows up.

If we can accomplish something on this order, that might be kind of
cool.

If we can Make PAM Completely Optional [TM] through NSS, that would be
even better (there are those of us, after all, who presently do not
need or want any of the circumspection provided through PAM when a simpler
load would suffice).

POV:  I try to take a reasonable stance on this sort of thing.  I'm not
altogether enthused with the frailty with which I perceive dynamic/modular
loading to be fraught, and this includes PAM and its current complexities.
However, I do think that to shut ourselves off to it altogether is not
entirely wise.  If we stop and stagnate, we die faster than we will if we
move forward and at least attempt to meet up with the rest of the world.

On Wed, 25 Sep 2002, Dan Melomedman wrote:

# Bill Studenmund wrote:
# > Is your objection to PAM that there should be an easy way to write
# > modules? Because you can do that with PAM; just write the auth system you
# > are describing as a PAM module!
#
# I doubt writing a PAM module would be so easy, or portable. But who
# knows; maybe you guys will be able to roll out something which is PAM
# but at the same time as easy to use, debug, etc. I have yet to find
# something like this, so I have my doubts.

				--*greywolf;
--
NetBSD: priapic OS