Subject: Re: BSD Authentication
To: Peter Seebach <seebs@plethora.net>
From: Simon J. Gerraty <sjg@crufty.net>
List: current-users
Date: 08/29/2003 10:03:05
>>No, that's the whole point of PAM. No magic whatsoever in login (or
>>sshd, ftpd, xdm etc if the sysadmin decides to allow such logins
This is not strictly true - certainly not in the "template user" case
I was talking about. sshd, login etc need to explicitly check if
a template user name was returned. Ie. they check if PAM_USER has changed
from the value they asked to have authenticated.
>Okay, I see; so, basically, the idea is that a PAM module doesn't just
>authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
>it wants in your address space.
Not at all - though of course any badly written bit of a shared lib could
do that.
>That said, there's *some* magic in login - it has to know to load the PAM
>modules.
No, you just link login with -lpam, module loading is automagic once the pam
api is called - but yes, login et al need to make calls to the pam api.
I expect the level of frobbage needed in login etc to support BSD Auth would
be no more or less than that needed to support PAM.
Thanks
--sjg
>-s