Subject: Re: integrating PAM
To: None <firstname.lastname@example.org>
From: Dan Melomedman <email@example.com>
Date: 01/24/2003 11:30:08
David Maxwell wrote:
> > Right, let's just pretend I never wrote why I don't like PAM.
> I'd like to, but your messages keep filling my inbox, so...
> > I've stated many times about its unneeded complexity,
> Your comments on that topic appear to have been regarding any particular
> _implementation_ of PAM, rather than the API.
> Since NetBSD doesn't yet have a PAM implementation, it's not a valid
> criticism against providing a PAM api.
Because I suspect NetBSD PAM will be API compatible with the rest of the
> > about how easier it is
> > to write and debug BSD Auth modules than it is to write PAM modules due to the
> > API,
> That's not very significant, since far fewer people will write
> authenticaion modules than will use them.
If writing authenticators will be easy this is _very_ significant.
Make it easy to write, and they'll write them.
> > and you can read even more if you look at the August thread. Also,
> > if you take a look at other frameworks such as checkpassword or CVM,
> > they have similar advantages over PAM.
> They don't have the advantage of the existing module implementations.
You probably haven't looked well enough. There are quite a few
authenticators written. Since these are trivial to write compared to
PAM, writing new authenticators won't be such a big deal. There's even a
> > In addition, take a look at
> > the pam_ldap module, its security history, and number of lines of code
> > for instance.
> OpenSSH has had lots of bugs != the ssh protocol is bad.
> There exist buggy PAM modules != PAM is bad.
My point is, you can get the idea about what's involved in writing PAM
modules by looking at pam_ldap. Then you could compare it with
login_ldap, or ldap checkpassword, and make your judgement.