Subject: Re: integrating PAM
To: Bill Studenmund <>
From: Jason R Thorpe <>
List: current-users
Date: 01/23/2003 17:34:11
On Thu, Jan 23, 2003 at 05:10:00PM -0800, Bill Studenmund wrote:

 > We want to start with PAM as we can put BSD Auth on top much more easily
 > than PAM over BSD Auth; getting PAM puts us on a path that will get us
 > both.

Note that we don't necessarily have to consider BSD Auth a non-starter.  If
someone can propose an extension to BSD Auth to address its deficiencies,
then I think that would be fine.

As Paul and others have pointed out, BSD Auth does have some nice properties.
But it does have one really major drawback, that being the inability to modify
the calling process's state (with the exception of environment variables, as
Paul pointed out it can do), with the canonical example being authentication
methods (usually Kerberos-based ones, e.g. AFS) which have to push a token
into the kernel (AFS, DFS, and Kerberized-NFS need this in order to be able
to access your files).

The people claiming those things (AFS, DFS, etc.) are broken are simply going
to have to realize that people *do* use NetBSD in these types of environments,
and so ripping the rug out from under them is, IMO, a non-starter.

        -- Jason R. Thorpe <>