Subject: Re:PAM
To: NetBSD-current Discussion List <>
From: Love <>
List: current-users
Date: 09/26/2002 14:36:58
First since Greg A. Woods think that am a pro-PAM person, I'm not. I don't
care if you use PAM, SIA, bsd-auth or men with three lingon berries on
their shoulder to solve the problem. I'm a pro-AFS person, being a author
of a AFS implementation kind hints that I am.

> > With the exception that this still requires PAM since there is no way to
> > modify another process's pag.
> No, it does not _require_ PAM.  I think your PAM blinders are preventing
> you from seeing the obvious alternatives.

I don't have any PAM blinder, I have AFS blinders.
> > > Watson does also advocate PAM, it's not a fundamental part of the design
> > > he promotes.
> > 
> > It is
> No, it is not.  Watson's proposal works perfectly well for static-linked
> code.
> > since there is no set_pag_for_pid() in his api.
> That's a different problem.  Static linked code does not require by
> definition that the authentication be done in a separate process.  A
> separate process simply lends one a number of new features.  Whether
> those features are usefull or not depends highly on the circumstances
> where and why a particular auth scheme is being used.
> Indeed in Watson's API there isn't a way to modify/assign the PAG for
> another proces, but that's a pretty trivial and obvious modification to
> make.  Take off your PAM blinders!  ;-)

There is a lot of security problems with allowing that, like how do you do
that when you are in securelevel > 0.

And it require me to modify all applications, same with Douglas Engert
proposal. If I use PAM it doesn't.

I'm not looking at the problem from PAM good or not direction, I'm looking
at it on the is this good for AFS direction.

Really, I would like to have both a bsd-auth (exec-chain ?) like PAM module
so my xlock can verify with my keyfile when I'm using Kerberos.

> > > Douglas Engert has also implemented some interesting ideas in this area:
> > > 
> > >
> > 
> > Same thing here.
> You apparently didn't read far/closely enough:

Summery: you think that we AFS users need to modify all applications to do
afs_setpag where we think its needed. That sucks.

This is my last mail in this thread, this is boring discussion since none
is going to change their opinion.