Subject: integrating PAM
To: None <>
From: John Nemeth <>
List: current-users
Date: 01/21/2003 12:40:31
     Since the topic has come up again, I would like to start a
discussion about integrating PAM into NetBSD.  I would like to restrict
the discussion to people that actually know PAM (i.e. you should have
at least read the API).  Past discussions have been bogged down by
people presenting non-existant problems (i.e. "PAM can't interact with
users", "can't work with smart cards", etc.).

     There have been a number of complaints about potential security
issues.  A big one has had to do with PAM operating within the
environment of the program wanting to do authentication.  However, if
this is a problem, then an unauthorised person is already root, has the
ability to place arbitrary files on the system, or the administrator
has really screwed up the permissions on the PAM modules.  Either way,
the game is already over, and it isn't a PAM problem (i.e. the problem
is neither mitigated nor made worse by the presence of PAM).  The last
problem could be mitigated by the PAM library refusing to load modules
with inappropriate permissions.

     There is the issue that a bug in a PAM module could cause a
security vulnerability in all the apps that use it.  There isn't much
that can be done about this, beyond careful coding and thorough
testing.  This is, of course, a problem with all library routines.
Since modules will be common and a lot of people will be using them,
there will be lots of people to search for and fix bugs.  Hopefully,
this will minimise them.  Another issue is that programs that don't
otherwise need to do so will need to run as root in order to use some
authentication methods.  This could be mitigated by having the PAM
module call-out to a setuid helper program.  This, of course,
introduces the problem of secure inter-process communication and hence
isn't without its detractions.  Finally, there are people who simply
don't like shared libraries and claim they cause security problems.  I
don't buy their arguments.  However, it is extremely obvious that
NetBSD will not be returning to a system where it is completely
statically linked, so I don't believe this is a point for discussion.

     There has been much criticism about PAM not being ideal.  However,
we all know about other solutions that aren't ideal, but which must be
included if NetBSD is to be considered to be a player in the OS game
(i.e.  NFS).  PAM is currently used by FreeBSD, HP-UX, most Linux
systems, and Solaris.  It is also used by many third party apps that
need to perform authentication.  It is the only standarised way of
having flexible authentication.  For these reasons, I believe PAM is
rapidly, if not already, joining the ranks of things like NFS in that
it is essential in order to stay in the OS game.  This, to me, is the
bottom line (i.e. I feel that it will have to be done sooner or later,
most likely sooner, regardless of people's opinions on the topic).