Subject: Re: PAM
To: None <firstname.lastname@example.org>
From: Dan Melomedman <email@example.com>
Date: 09/26/2002 11:22:40
Chuck Yerkes wrote:
> And having hacked support for EITHER S/Key OR Challenge
> response into telnet (at the time), wuftpd, and several
> other tools, it was an big PITA.
> What made sense? As I looked at it, some sort of generic
> "authenticate_connection()" routine. Let those routines
> make determinations based on:
> 1) my source address
> 2) the user I'm coming in as
> 3) time of day (why not?)
> 4) service in use.
5) UID/GID, as in http://www.superscript.com/ucspi-ipc/getpeereid.html
But why call authenticate_connection() from a service which needs
authentication? Why not call authenticating functions from an
authenticator process? login, telnet, ftpd, and others can easily be
spawned by authenticators - modular, simple, and easy.
A fault in an authenticator doesn't affect the service. A fault in a
service will immediately tell you where to look for bugs - definitely
not in an authenticator. This is how to prevent security holes and code
size, and simplify the system - modularity.
I am not alone in thinking this way - many secure software packages enjoy
> I've not really had difficulty compiling and using PAM modules.
> Are you stuck because you don't understand it in practice?
> In code? You're just angry at the concept?
I haven't had much fun with PAM at all, - the PAM system is
overly complex as can be obvious and is inferior to simpler, more
effective frameworks IMHO.