Subject: Re: PAM
To: Dan Melomedman <dan%dan.dan@devonit.com>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 09/25/2002 20:31:42
[ On Wednesday, September 25, 2002 at 17:05:19 (-0400), Dan Melomedman wrote: ]
> Subject: Re: PAM
>
> Personally, I am more concerned about NSS-related functions. Writing
> simple checkpassword authentication modules and login utilities is trivial
> if you're required to do it. However, I fail to see how to easily let getp*()
> functions pull from an external source. How can this be now done in
> FreeBSD/NetBSD?
see nsdispatch(3) for NetBSD....
> Right now NSS is built into the C library. How can it be
> modularized?
The only thing missing is a callback to wrap the likes of getpass() and
which returns a string containing the user-supplied "key" and another
callback for actually doing the authentication testing step, which by
default would be a wrapper calling some routine I'll call "checkpass()"
to do the default strcmp(crypt()) calls. Of course it would help to
have some way for abstracting the "token" and the "key" so that more
complex data structures could be passed back and forth from getpw*(),
the getpass() callback and the checkpass() though that would complicate
backwards compatability of the API a bit much and in reality it's
probably not too much to expect that all these things need to be encoded
in strings that can be passed in struct passwd's pw_passwd, i.e. as
extensions to what we already have defined in passwd.conf(5).
See login.c for the current mess of #ifdefs and goto's to handle this
for the likes of skey, kerberos, etc. All that stuff really needs to
be abstracted anyway, and putting it under the nsswitch.conf framework
seems quite logical.
> What do I do for LDAP authentication? Link LDAP libraries
> into libc?
Yes, exactly, and call them via wrappers using the nsdispatch callbacks.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>