Subject: Re: BSD Authentication
To: Peter Seebach <>
From: Simon J. Gerraty <>
List: current-users
Date: 08/29/2003 10:03:05
>>No, that's the whole point of PAM.  No magic whatsoever in login (or
>>sshd, ftpd, xdm etc if the sysadmin decides to allow such logins

This is not strictly true - certainly not in the "template user" case
I was talking about.  sshd, login etc need to explicitly check if 
a template user name was returned.  Ie. they check if PAM_USER has changed
from the value they asked to have authenticated.

>Okay, I see; so, basically, the idea is that a PAM module doesn't just
>authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
>it wants in your address space.

Not at all - though of course any badly written bit of a shared lib could
do that.

>That said, there's *some* magic in login - it has to know to load the PAM

No, you just link login with -lpam, module loading is automagic once the pam
api is called - but yes, login et al need to make calls to the pam api.

I expect the level of frobbage needed in login etc to support BSD Auth would
be no more or less than that needed to support PAM.