Subject: PAM
To: NetBSD current users mailing list <current-users@netbsd.org>
From: David Ferlier <david@netbsd-fr.org>
List: current-users
Date: 03/10/2003 05:30:05
Hi all,

It's been two nights i have been working on PAM integration in NetBSD, and i
wanted to have some inputs about the work i did.

Basically, i started off from OpenPAM that is included in FreeBSD, because it
was just looking better than Linux-PAM (the license was a plus too ;)

As i have no NetBSD account, i created a new NetBSD CVS repository, starting
from 1.6P, that is accessible at happy-hacking.homeunix.org
(CVSROOT: ":pserver:anoncvs@happy-hacking.homeunix.org:/pub/cvs") .

There's a CVSweb interface at:

  http://happy-hacking.homeunix.org/cvs

There's read-only anoncvs access (login: anoncvs, password: access).

Now, on the code side.

I added src/lib/libpam; inside there are libpam (the code for the library),
modules (the PAM modules), and include. The whole PAM library compiles fine,
with some mandatory tweaks (notably openpam_dynamic.c and others).

I added openpam_modules_paths.h, that contains an array of paths that PAM can
use to dlopen() modules. It basically contains "/usr/lib/security" and
"/usr/pkg/lib/security", but we can easily change them. This way, PAM won't be
able to load modules in /usr/lib or /usr/pkg/lib. That's a point i'd like to
have input on ;)

I removed some modules that have nothing to do in the base tree of PAM,
pam_radius for example.

I reworked pam_unix to make it work with nis password changing and other things.

I added src/etc/pam.d where live all the PAM policys (a make install installs
them in /etc/pam.d, and i added a file openpam_policy_paths.h (included from
openpam_configure.c) that lists paths allowed for policy files, basically
/usr/pkg/etc/pam.d and /etc/pam.d)

For applications that use PAM: i worked on the following applications, for now:
 
 - login
 - su
 - ftpd

All of them work fine with PAM now.
I have also code for telnetd and sshd, but i didn't test it though.

pam_bsdauth is also on my todo-list 8-)

David

-- 
	David Ferlier -- david@netbsd-fr.org

    http://happy-hacking.homeunix.org     (IPV4)  ||
    http://cobaye.segfault.quatriemek.com (IPV6)