Subject: Re: integrating PAM
To: Greg A. Woods <>
From: Simon J. Gerraty <>
List: current-users
Date: 01/22/2003 00:05:13
>Note BSD Auth can use PAM modules, but as I understand it, not the other

Some PAM modules perhaps but not those that want/need to tweak the 
state of the original process.

Here's a real world example for you...  template users authenticated
via radius (or tacplus).  Along with the auth ok message radius can
provide the name of a "real" account (the template) on the box.
Thus the user gets say logname=hoopie but pw_name=remote.

Now - how exactly would you do that with BSD Auth?
Note; the answer "I have no need of that functionality" isn't an option.

>way around (and of course it doesn't make even the remotest bit of sense

What exactly would make it impossible for a PAM module to invoke a 
sub-process?  That is about all that's needed for BSD Auth right?

And why would it make zero sense to have a ?
if nothing else it would provide a simple hook for folk to implement
simple authentication scripts such as those Peter Seebach mentioned.
Folk that fear/loath shared libs need not of course install it of course. 

Note I have no objection to BSD Auth, and making it an option (via PAM
perhaps) sounds like a good idea.  But it is far from a "standard"
(further than PAM anyway) and does not address all the issues PAM does.

Regardless, there is no need to see the two as mutually exclusive.