>>No, that's the whole point of PAM.  No magic whatsoever in login (or
>>sshd, ftpd, xdm etc if the sysadmin decides to allow such logins

This is not strictly true - certainly not in the "template user" case
I was talking about.  sshd, login etc need to explicitly check if 
a template user name was returned.  Ie. they check if PAM_USER has changed
from the value they asked to have authenticated.

>Okay, I see; so, basically, the idea is that a PAM module doesn't just
>authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
>it wants in your address space.

Not at all - though of course any badly written bit of a shared lib could
do that.

>That said, there's *some* magic in login - it has to know to load the PAM
>modules.

No, you just link login with -lpam, module loading is automagic once the pam
api is called - but yes, login et al need to make calls to the pam api.

I expect the level of frobbage needed in login etc to support BSD Auth would
be no more or less than that needed to support PAM.

Thanks
--sjg

>-s