Greywolf wrote:
> To add to the mix,
> 
> When trying to set up PAM, I do note that "things which require paths to
> modules" are daunting compared to "put this basename here and let it
> search the predefined path(s)".

I don't mind the paths as much as I despise hard to understand
configuration files. Also configuration files should be easily parseable
and editable by software, not only humans.

> I notice that under Solaris, all sorts of fields are required for each
> entry.  There must be a somewhat less complex way of setting up modules
> for incorporation.  I haven't played with Linux sufficiently to see how
> their PAM works.

Yes! for Linux and FreeBSD modules can be:
auth, account, session, password
and on success or failure:
required, requisite, sufficient, optional
they can:
debug, use_first_pass, try_first_pass, use_mapped_pass, expose_account

Example:

login auth sufficient pam_skey.so
login auth sufficient pam_opie.so   no_fake_promtps
login auth required   pam_opieaccess.so
login auth requisite  pam_cleartext_pass_ok.so
login auth required   pam_unix.so  try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required ¶pam_permit.so 

Does the system really need to do so many things? All I want is one
module for one type of authentication, with two deterministic resutls -
success or failure. Simple, easy, and uh, sufficient. Keep it simple,
stupid.