current-users: Re: integrating PAM

Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Ross Patterson <Ross.Patterson@CatchFS.Com>
List: current-users
Date: 01/23/2003 16:37:33
On Thursday 23 January 2003 03:41 pm, Dan Melomedman wrote:
> What seems to me the obvious advantage of BSD Auth is its simplicity.
> Writing authenticating shell scripts, unless I am missing something, is
> inherently easy compared to writing loadable modules. 

I think you're comparing apples to oranges here, although perhaps that's not 
obvious.  Average Linux sysadmins don't write their own PAM modules, they 
write PAM config files that specify which modules to run in what order with 
what parameters.  Think shell scripts but with almost no if-then-else 
capability and no other programming constructs (i.e. straight-line code only) 
(OK, think MS-Dos BAT files :-( ).  The theory goes that PAM modules 
shouldn't be overly hard to write, but most folks shouldn't need to do so.

So, for example, this laptop's definition of "login" authentication is:

	auth       required     /lib/security/pam_securetty.so
	auth        required      /lib/security/pam_env.so
	auth        sufficient    /lib/security/pam_unix.so likeauth nullok
	auth        required      /lib/security/pam_deny.so
	auth       required     /lib/security/pam_nologin.so

That's PAMese for "refuse root logins from insecure terminals", "prime the 
environment variables", "verify against /etc/{passwd,shadow,group}", "refuse 
login if not verified", "refuse all except root if /etc/nologin exists".

> BSD Auth has immediate
> advantages for the common system administrator who would rather write a
> simple interpreter script than wait for someone to write a large and comlex
> PAM module such as pam-ldap.

I'm sure it does.  I've written PAM modules in another life, and I wouldn't 
wish the creation of an LDAP-authentication client on my worst enemy, 
regardless of the environment it hard to operate in.  Thank goodness PAM 
already has one! (A quick Google search makes it seem like BSD Auth doesn't - 
correct?)  But pam_ldap and the "traditional Unix authentication" module 
pam_unix are about as complicated as they get, and I can't imagine NetBSD 
would ask a sysadmin to code either of those for BSD Auth or for PAM.
-- 
Ross A. Patterson
Chief Technology Officer
CatchFIRE Systems, Inc.
5885 Trinity Parkway, Suite 220
Centreville, VA  20120
(703) 563-4164