Subject: Re: PAM and BSD Authentication
To: None <>
From: Paul Borman <>
List: current-users
Date: 01/23/2003 15:31:45
Peter Seebach pointed this discussion out to me.  Being the original 
author of BSD Authentication I thought I could shed some light on some 

BSD Authentication was designed to allow a flexible authentication 
mechanism that did not require recompilation, did not require the 
requesting program to have special privileges, and to provide a 
flexible framework for future enhancements.  The entire /etc/login.conf 
paradigm was designed along side of BSD Authentication.  BSD 
Authentication is not dependent on shared libraries, but on the 
standard process model and the setuid/setgid bits.

As has been mentioned, there is nothing in BSD Authentication that 
prevents an authentication module from using PAM.

BSD Authentication does allow the passing back of information, such as 
set this environment variable or clear that environment variable.  It 
also has a mechanism to pass back arbitrary name/value pairs.

BSD Authentication also separates out the issue of authentication and 
approval.  Just because we know who are you does not mean you can have 
access!  Once authentication has been complete, an approval program may 
optionally be run, as was mentioned by an earlier poster.

BSD Authentication also includes the concept of classification.  
Classification programs are used to alter how you will do 
authentication.  For example, login might allow standard password 
authentication on a trusted local network (in your house) but require a 
one time password, kerberos, or some other secure mechanism when 
connecting from an external network.

I give kudo's to the OpenBSD team for their work to improve the code 
that BSDi originally made available under the standard CSRG license.

I personally have never been fond of PAM.  I dislike using dynamically 
linked libraries in an application that is security related, in 
particular when it makes that application require root privileges.  I 
realize it may be a popular system, but then, Windows is also popular 

I hope my comments may have provided you some assistance as you work 
towards a solution.  I should mention I am not on this mailing list 
(Peter, if my message does not get posted maybe you can post it for me 
:-) so if you would like me to see a response, or have questions for 
me, please include me on your CC: or To: line.

-Paul Borman