Subject: Re: PAM
To: NetBSD-current Discussion List <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/25/2002 21:40:13
Greg A. Woods wrote:
> That's a different problem.  Static linked code does not require by
> definition that the authentication be done in a separate process.  A
> separate process simply lends one a number of new features.  Whether
> those features are usefull or not depends highly on the circumstances
> where and why a particular auth scheme is being used.

Separate processes are needed for more than features. Programs which
collect credentials and pass them to authenticators, should do exactly
that. Authenticators read credentials and compare with the database, and
they should only perform these functions. Debugging is easy, security
holes are reduced, code size is small. Software not following these 
principals include Sendmail and BIND. Both are embarassment to the 
Internet.