Subject: Re: BSD Authentication
To: None <current-users@NetBSD.org>
From: Dan Melomedman <email@example.com>
Date: 08/29/2003 12:47:55
Peter Seebach wrote:
> In message <Pine.GSO.firstname.lastname@example.org>, "Dr R.S. Brooks"
> >No, that's the whole point of PAM. No magic whatsoever in login (or
> >sshd, ftpd, xdm etc if the sysadmin decides to allow such logins
> >through those routes). All the magic is contained in the PAM modules,
> >and is turned on by the appropriate configuration in /etc/pam.conf.
> >If you have a binary program which you have purchased from Foobar Inc
> >and it uses PAM, then you will be able to make it behave in the same
> >magic way with the correct entries in pam.conf.
> Okay, I see; so, basically, the idea is that a PAM module doesn't just
> authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
> it wants in your address space.
> That said, there's *some* magic in login - it has to know to load the PAM
Everything needing PAM needs to be linked against libpam. If a PAM module
needs to be root, your authenticated process must be priveleged on
its behalf, which is another reason why I don't like it.