Subject: Re: integrating PAM
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: Greg A. Woods <>
List: current-users
Date: 01/27/2003 16:08:41
[ On Monday, January 27, 2003 at 13:15:07 (-0500), David Maxwell wrote: ]
> Subject: Re: integrating PAM
> How many lines-of-code are there in NetBSD's PAM implementation?
> ZERO. It doesn't exist yet.

It's almost literally impossible for any PAM implementation to contain
as few lines of code as BSD Auth.  The API alone makes this pretty
clear, but all existing implementations also make this pretty clear too.

On top of that some folks who seem to speak for TNF seem to be hinting
very strongly that TNF will follow the N.I.H. philosophy with regard to
any authentication scheme, which means that regardless of how well the
implementation starts out, it can _never_ be as mature as any existing
implementation.  Hopefully the N.I.H. philosphy can be squashed in the
bud this time, but as a related example shows there's recently been a
bunch petty squabbling about how to resolve legacy issues in the
N.I.H. driven DNS resolver library while reasonably mature existing code
sits waiting to be utilized.

In any case both BSD Auth and FreeBSD/OpenPAM PAM exist today, and both
are being used in production and have proven track records.

However that doesn't mean both are good solutions -- just that there's
no obvious reason to re-implement either from scratch (other than N.I.H.).

There are a bunch of things that need to b done to decide which is the
better solution:

Compare the lines of code in those two sample existing implementations.
Don't forget to include the dynamic loader in the PAM count since it's a
critical part of any PAM implementation.

Do a full security audit (not just a code audit, but a full risk
analysis of the design _and_ implementations) of both those sample
existing implementations.

Then after you've done that maybe you can say something hypothetical
about NetBSD's un-designed, un-implemented PAM implementation.  :-)
Certainly you can say something concrete about the existing available
implementations that have been examined.

Although I've not done quite so complex an analysis it is quite clear to
me, after a quick skim of the code for both, that BSD Auth (as it
appears in OpenBSD) has far fewer LOC and of course an almost infinitely
better design than FreeBSD/OpenPAM PAM from a security sensitive
perspective.  If I'm not drastically mistaken the BSD Auth code is also
far more mature too and has been proven in a wider variety of scenarios.

PAM was designed by proprietary software vendors strictly for
proprietary software vendors, and without regard to deeper security
issues, and it shows clear as black on white.

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>