Subject: Re:PAM
To: NetBSD-current Discussion List <current-users@netbsd.org>
From: Love <lha@stacken.kth.se>
List: current-users
Date: 09/26/2002 14:36:58
First since Greg A. Woods think that am a pro-PAM person, I'm not. I don't
care if you use PAM, SIA, bsd-auth or men with three lingon berries on
their shoulder to solve the problem. I'm a pro-AFS person, being a author
of a AFS implementation kind hints that I am.
> > With the exception that this still requires PAM since there is no way to
> > modify another process's pag.
>
> No, it does not _require_ PAM. I think your PAM blinders are preventing
> you from seeing the obvious alternatives.
I don't have any PAM blinder, I have AFS blinders.
> > > Watson does also advocate PAM, it's not a fundamental part of the design
> > > he promotes.
> >
> > It is
>
> No, it is not. Watson's proposal works perfectly well for static-linked
> code.
>
> > since there is no set_pag_for_pid() in his api.
>
> That's a different problem. Static linked code does not require by
> definition that the authentication be done in a separate process. A
> separate process simply lends one a number of new features. Whether
> those features are usefull or not depends highly on the circumstances
> where and why a particular auth scheme is being used.
>
> Indeed in Watson's API there isn't a way to modify/assign the PAG for
> another proces, but that's a pretty trivial and obvious modification to
> make. Take off your PAM blinders! ;-)
There is a lot of security problems with allowing that, like how do you do
that when you are in securelevel > 0.
And it require me to modify all applications, same with Douglas Engert
proposal. If I use PAM it doesn't.
I'm not looking at the problem from PAM good or not direction, I'm looking
at it on the is this good for AFS direction.
Really, I would like to have both a bsd-auth (exec-chain ?) like PAM module
so my xlock can verify with my keyfile when I'm using Kerberos.
> > > Douglas Engert has also implemented some interesting ideas in this area:
> > >
> > > http://www.ornl.gov/~jar/dfs-afs.html
> >
> > Same thing here.
>
> You apparently didn't read far/closely enough:
Summery: you think that we AFS users need to modify all applications to do
afs_setpag where we think its needed. That sucks.
This is my last mail in this thread, this is boring discussion since none
is going to change their opinion.
Love