Subject: Re: BSD Authentication
To: None <current-users@NetBSD.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 08/28/2003 03:32:58
In message <200308280827.h7S8Rbih024539@vtn1.victoria.tc.ca>, John Nemeth write
s:
> The reasons I want PAM are twofold. The first is because of the
>ability to have "template users." I did a "kiosk" project, which would
>have been very difficult to do without it.
I don't know enough about the "template users" thing to know how hard
it is to do; I do know that BSD/OS had a perfectly workable solution to
the problem of handling many thousands of name/password combinations which
ran in the same environment.
> The second is that PAM is becoming ubiquitous. Most OSes have it
>now, i.e. Solaris, HP/UX, FreeBSD, Linux, etc., and most third party
>apps that need to do authentication can use it. There are also lots of
>third party PAM modules.
Fine, so we eventually need to have it.
> Like it or not, PAM is rapidly becoming a requirement to be
>considered a serious OS. There is a standards document for it. One
>can argue all they want about the legitimacy of the standards body that
>produced it, but you can't deny that the document exists.
Great. So?
>One can also
>argue about the design and/or security of it, but those arguments
>aren't relevant when compared against the ubiquity of PAM.
By this argument, we ought to support Win32 executables natively, and provide
a system call for any program that wants setuid privs to be able to get them.
Ubiquity alone doesn't make a feature acceptable for NetBSD.
>others in the industry picked up. It quickly grew to the point where
>it was a must have feature. I see PAM taking the same course. People
>can argue about it all they want, but I believe the day is rapidly
>coming where it will be a requirement for an OS to have PAM if it wants
>to remain in the game.
Great, so we include it.
> Having said the above, I have no complaints to BSD auth being
>added to the system as long as it doesn't interfere with PAM being
>added.
My guess is that, were someone to provide a "login_pam", 90% of the things
for which PAM is used today would work without much effort. I'll see if
I can hit up one of the BSD Auth experts for some advice on how he'd solve
the AFS problems and similar ones; there may be obvious solutions to these
which I just haven't seen yet.
-s