current-users: Re: Re:PAM

Subject: Re: Re:PAM
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Ross Patterson <Ross.Patterson@CatchFS.Com>
List: current-users
Date: 09/26/2002 12:35:07
On Thursday 26 September 2002 11:40 am, Greg A. Woods wrote:
> PAM is simply a "standard" API
> that relies specifically on dynamic binding to enable applications
> wishing to do authentication and authorisation (A&A) be able to do so
> with methods that were unspecified at the time those applications were
> designed and built.

*AND* with full control over the specification and interactions of those 
methods by the system administrator.

> The primary reason PAM was designed was to give proprietary OS vendors
> the ability to provide hooks into their A&A applications such that users
> could implement and use A&A mechanisms that may not even have been
> thought of at the time the OS was released.  

Which explains why PAM has been such a big win in Linux?

> This is of course completely and
> totally unnecessary in any open source system since the user has full
> access to all of the source code and they can hook in any module at any
> time without needing to use dynamically loaded code.

You're confusing "user" with "programmer", and in many cases with 
"sophisticated programmer".

> Any decent API with similar capabilities would allow the user to hook
> such new A&A modules into one place without having to modify all A&A
> applications (i.e. applications can still be designed by the open source
> vendor without knowing what authentication methods will be used or even
> thought of in the future).

Agreed, so long as it can be done without the "user" writing any program code.

> PAM suffers in that it _requires_ (by its own design) the use of dynamic
> runtime object code loading, which is itself fraught with all kinds of
> issues, including _many_ security related issues.  

I've never tried to use it this way, but from what I read it's possible to 
statically link a PAM environment if the individual modules support doing so 
(as all of the common examples in the Linux-PAM package do).  Certainly the 
code-delta to support static linking is very small - a few dozen lines and 
using some cpp symbols.
-- 
Ross A. Patterson
CatchFIRE Systems, Inc.
5885 Trinity Parkway, Suite 220
Centreville, VA  20120
(703) 563-4164