Subject: Re: PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/26/2002 11:22:40
Chuck Yerkes wrote:
> And having hacked support for EITHER S/Key OR Challenge
> response into telnet (at the time), wuftpd, and several
> other tools, it was an big PITA.
> 
> What made sense?  As I looked at it, some sort of generic
> "authenticate_connection()" routine.  Let those routines
> make determinations based on:
> 1) my source address
> 2) the user I'm coming in as
> 3) time of day (why not?)
> 4) service in use.

  5) UID/GID, as in http://www.superscript.com/ucspi-ipc/getpeereid.html

But why call authenticate_connection() from a service which needs
authentication? Why not call authenticating functions from an
authenticator process? login, telnet, ftpd, and others can easily be
spawned by authenticators - modular, simple, and easy. 
A fault in an authenticator doesn't affect the service. A fault in a 
service will immediately tell you where to look for bugs - definitely
not in an authenticator. This is how to prevent security holes and code
size, and simplify the system - modularity.

I am not alone in thinking this way - many secure software packages enjoy
this model.

> I've not really had difficulty compiling and using PAM modules.
> Are you stuck because you don't understand it in practice?
> In code?  You're just angry at the concept?

I haven't had much fun with PAM at all, - the PAM system is
overly complex as can be obvious and is inferior to simpler, more
effective frameworks IMHO.