current-users: Re: BSD Authentication

Subject: Re: BSD Authentication
To: None <current-users@NetBSD.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 08/28/2003 03:32:58
In message <200308280827.h7S8Rbih024539@vtn1.victoria.tc.ca>, John Nemeth write
s:
>     The reasons I want PAM are twofold.  The first is because of the
>ability to have "template users."  I did a "kiosk" project, which would
>have been very difficult to do without it.

I don't know enough about the "template users" thing to know how hard
it is to do; I do know that BSD/OS had a perfectly workable solution to
the problem of handling many thousands of name/password combinations which
ran in the same environment.

>     The second is that PAM is becoming ubiquitous.  Most OSes have it
>now, i.e. Solaris, HP/UX, FreeBSD, Linux, etc., and most third party
>apps that need to do authentication can use it.  There are also lots of
>third party PAM modules.

Fine, so we eventually need to have it.

>     Like it or not, PAM is rapidly becoming a requirement to be
>considered a serious OS.  There is a standards document for it.  One
>can argue all they want about the legitimacy of the standards body that
>produced it, but you can't deny that the document exists.

Great.  So?

>One can also
>argue about the design and/or security of it, but those arguments
>aren't relevant when compared against the ubiquity of PAM.

By this argument, we ought to support Win32 executables natively, and provide
a system call for any program that wants setuid privs to be able to get them.
Ubiquity alone doesn't make a feature acceptable for NetBSD.

>others in the industry picked up.  It quickly grew to the point where
>it was a must have feature.  I see PAM taking the same course.  People
>can argue about it all they want, but I believe the day is rapidly
>coming where it will be a requirement for an OS to have PAM if it wants
>to remain in the game.

Great, so we include it.

>     Having said the above, I have no complaints to BSD auth being
>added to the system as long as it doesn't interfere with PAM being
>added.

My guess is that, were someone to provide a "login_pam", 90% of the things
for which PAM is used today would work without much effort.  I'll see if
I can hit up one of the BSD Auth experts for some advice on how he'd solve
the AFS problems and similar ones; there may be obvious solutions to these
which I just haven't seen yet.

-s