Subject: Re: PAM and BSD Authentication
To: None <email@example.com>
From: Paul Borman <firstname.lastname@example.org>
Date: 01/23/2003 15:31:45
Peter Seebach pointed this discussion out to me. Being the original
author of BSD Authentication I thought I could shed some light on some
BSD Authentication was designed to allow a flexible authentication
mechanism that did not require recompilation, did not require the
requesting program to have special privileges, and to provide a
flexible framework for future enhancements. The entire /etc/login.conf
paradigm was designed along side of BSD Authentication. BSD
Authentication is not dependent on shared libraries, but on the
standard process model and the setuid/setgid bits.
As has been mentioned, there is nothing in BSD Authentication that
prevents an authentication module from using PAM.
BSD Authentication does allow the passing back of information, such as
set this environment variable or clear that environment variable. It
also has a mechanism to pass back arbitrary name/value pairs.
BSD Authentication also separates out the issue of authentication and
approval. Just because we know who are you does not mean you can have
access! Once authentication has been complete, an approval program may
optionally be run, as was mentioned by an earlier poster.
BSD Authentication also includes the concept of classification.
Classification programs are used to alter how you will do
authentication. For example, login might allow standard password
authentication on a trusted local network (in your house) but require a
one time password, kerberos, or some other secure mechanism when
connecting from an external network.
I give kudo's to the OpenBSD team for their work to improve the code
that BSDi originally made available under the standard CSRG license.
I personally have never been fond of PAM. I dislike using dynamically
linked libraries in an application that is security related, in
particular when it makes that application require root privileges. I
realize it may be a popular system, but then, Windows is also popular
I hope my comments may have provided you some assistance as you work
towards a solution. I should mention I am not on this mailing list
(Peter, if my message does not get posted maybe you can post it for me
:-) so if you would like me to see a response, or have questions for
me, please include me on your CC: or To: line.