Subject: Re: integrating PAM
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 01/23/2003 10:31:30
On Thursday 23 January 2003 10:02, Ken Hornstein wrote:
> I understand that's what you want .... but what you haven't really
> explained is why. I mean, a PAM module that implements BSD Auth will
> work for apps that today make PAM calls. If you have your own code
> that you want to convert, just make it do BSD Auth. What, exactly, is
> the problem? As far as I can tell, it basically boils down to
> "Applications that call PAM functions really chap my ass".
All PAM implementations I've seen are needlessly complex and difficult to
modify and use in a large-ish environment. On a system with 40,000 busy user
accounts, every PAM I've seen bogs down to the point where logins can time
out before the PAM auth returns. Compiling out PAM support is kind of a pain.
Some would say that the implementations are at fault, but I think that the
specifications make it hard to build an implementation that Doesn't Suck.
Perhaps the truth is somewhere in between.
My hope is that any NetBSD rollout won't be a huge bloated mass that kills
large sites, nor something that can't be cleanly excised like the horrible
tumour that people like myself consider PAM to be.