Subject: Re: Re:PAM
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Ross Patterson <Ross.Patterson@CatchFS.Com>
Date: 09/26/2002 12:35:07
On Thursday 26 September 2002 11:40 am, Greg A. Woods wrote:
> PAM is simply a "standard" API
> that relies specifically on dynamic binding to enable applications
> wishing to do authentication and authorisation (A&A) be able to do so
> with methods that were unspecified at the time those applications were
> designed and built.
*AND* with full control over the specification and interactions of those
methods by the system administrator.
> The primary reason PAM was designed was to give proprietary OS vendors
> the ability to provide hooks into their A&A applications such that users
> could implement and use A&A mechanisms that may not even have been
> thought of at the time the OS was released.
Which explains why PAM has been such a big win in Linux?
> This is of course completely and
> totally unnecessary in any open source system since the user has full
> access to all of the source code and they can hook in any module at any
> time without needing to use dynamically loaded code.
You're confusing "user" with "programmer", and in many cases with
> Any decent API with similar capabilities would allow the user to hook
> such new A&A modules into one place without having to modify all A&A
> applications (i.e. applications can still be designed by the open source
> vendor without knowing what authentication methods will be used or even
> thought of in the future).
Agreed, so long as it can be done without the "user" writing any program code.
> PAM suffers in that it _requires_ (by its own design) the use of dynamic
> runtime object code loading, which is itself fraught with all kinds of
> issues, including _many_ security related issues.
I've never tried to use it this way, but from what I read it's possible to
statically link a PAM environment if the individual modules support doing so
(as all of the common examples in the Linux-PAM package do). Certainly the
code-delta to support static linking is very small - a few dozen lines and
using some cpp symbols.
Ross A. Patterson
CatchFIRE Systems, Inc.
5885 Trinity Parkway, Suite 220
Centreville, VA 20120