current-users: Re: integrating PAM

Subject: Re: integrating PAM
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/27/2003 15:02:00

David Maxwell wrote:
> 
> I appreciate that you can read it that way, but there's no context in
> that message to indicate that.
> 
> Here's the complete original from Greg:
> 
> > Subject: Re: integrating PAM
> > To: None <current-users@netbsd.org>
> > From: Greg A. Woods <woods@weird.com>
> > List: current-users
> > Date: 01/25/2003 23:58:18 
> > [ On Thursday, January 23, 2003 at 22:54:49 (-0500), David Maxwell wrote: ]
> > > Subject: Re: integrating PAM
> > >
> > > There exist buggy PAM modules != PAM is bad.
> > 
> > Yes, but the number lines-of-code does give a good hint towards the
> > number of bugs that might be expected in it.

> I don't see the word 'ldap' in there and I don't see the word 'module'
> in there. I do see the phrase 'PAM implementation'.
> 
> Here's the complete original from Greg:

...

> > Large and complex code is bad, and doubly so when it has to run as root,
> > triply so if it also _requires_ dynamic loading of new object code.
> > 
> > The BSD Auth code is truly quite small and it's also quite readable and
> > the design is very elegant and clean.  It's bound to have fewer bugs
> > than an equally mature PAM implementation.
...

> I don't see the word 'ldap' in there and I don't see the word 'module'
> in there. I do see the phrase 'PAM implementation'.

Because I think Greg was referring to my original message which talks about
number of lines of code in pam-ldap, and comparison to checkpassword and
BSD Auth modules which perform identical function. Maybe he isn't, but I
certainly was talking about the amount of code each framework demands.

> Also, in any case,
> 
> There exist large buggy PAM modules != There cannot exist small,
>                                        bug-free PAM modules.

I highly doubt this can be true if the NetBSD PAM API will be compatible
with either of the currently used APIs. An LDAP checkpassword module,
or an LDAP BSD Auth module are inherently simpler because in either
frameworks the modules are allowed to be simple (mostly because
processes are easier than shared libraries).