Subject: Re: integrating PAM
To: Dan Melomedman <firstname.lastname@example.org>
From: Simon J. Gerraty <email@example.com>
Date: 01/23/2003 15:30:15
>I won't use PAM or pam_ldap.
Cool - that's up to you. Please don't demand that no one else can though.
>I would rather write a script in some language which talks LDAP such as perl or
>python, and it would take me an hour to do it, and be custom
>tailored to my needs. I can't do this with PAM, but I can with BSD Auth.
Let's see, your previous arguments against PAM were that it was big,
complex, bloated etc and therefor could not possibly be secure.
But you are quite happy to trust everyone's authentication to a script
written in a big complex bloated interpreter?
You also claim that the avg sysadmin can't/won't write in C...
(this is not true of most sysadmins that I know but hey)
are you confident that those novice admins are going to be able to write
a secure script that correctly deals with the interpreter's meta chars etc?
Are you postive that their site would not be more secure using a compiled
module written by someone who actually knows how to do so?
In short, for anyone seriously contemplating using perl (or probably any
other interpreter) to authenticate via ldap or any other non-trivial
service its hard to argue that a pam_bsdauth module would make them
any less "secure".