Subject: Re: integrating PAM
To: Greg A. Woods <email@example.com>
From: Simon J. Gerraty <firstname.lastname@example.org>
Date: 01/22/2003 00:05:13
>Note BSD Auth can use PAM modules, but as I understand it, not the other
Some PAM modules perhaps but not those that want/need to tweak the
state of the original process.
Here's a real world example for you... template users authenticated
via radius (or tacplus). Along with the auth ok message radius can
provide the name of a "real" account (the template) on the box.
Thus the user gets say logname=hoopie but pw_name=remote.
Now - how exactly would you do that with BSD Auth?
Note; the answer "I have no need of that functionality" isn't an option.
>way around (and of course it doesn't make even the remotest bit of sense
What exactly would make it impossible for a PAM module to invoke a
sub-process? That is about all that's needed for BSD Auth right?
And why would it make zero sense to have a pam_bsdauth.so ?
if nothing else it would provide a simple hook for folk to implement
simple authentication scripts such as those Peter Seebach mentioned.
Folk that fear/loath shared libs need not of course install it of course.
Note I have no objection to BSD Auth, and making it an option (via PAM
perhaps) sounds like a good idea. But it is far from a "standard"
(further than PAM anyway) and does not address all the issues PAM does.
Regardless, there is no need to see the two as mutually exclusive.