Subject: Re: integrating PAM
To: None <>
From: Dan Melomedman <>
List: current-users
Date: 01/23/2003 15:41:26
Ross Patterson wrote:
> What is being argued here is really which flavor of Kool Aid NetBSD wants to 
> drink.  Both choices seem to have their advantages and drawbacks.  That would 
> seem to argue for an interface layer where the assorted zealots can choose 
> their personal definition of "good" over "evil".  Since either path will 
> require changes to programs that want to use authentication services, there 
> will be development to do no matter what the decision.  Unless, of course, 
> NetBSD decides that the only way to win is not to play the game.

What seems to me the obvious advantage of BSD Auth is its simplicity.
Writing authenticating shell scripts, unless I am missing something, is
inherently easy compared to writing loadable modules. Same goes for
easier debugging, and easy privelege separation. BSD Auth has immediate
advantages for the common system administrator who would rather write a
simple interpreter script than wait for someone to write a large and comlex
PAM module such as pam-ldap.

The disadvantage is that BSD Auth can't modify the process state of the
calling process. Another disadvantage is it's not as widespread as PAM.
I think the advantages of BSD Auth far outweigh its disadvantages for
most people.