Simon J. Gerraty wrote:
> >>No, that's the whole point of PAM.  No magic whatsoever in login (or
> >>sshd, ftpd, xdm etc if the sysadmin decides to allow such logins
> 
> This is not strictly true - certainly not in the "template user" case
> I was talking about.  sshd, login etc need to explicitly check if 
> a template user name was returned.  Ie. they check if PAM_USER has changed
> from the value they asked to have authenticated.
> 
> >Okay, I see; so, basically, the idea is that a PAM module doesn't just
> >authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
> >it wants in your address space.
> 
> Not at all - though of course any badly written bit of a shared lib could
> do that.
> 
> >That said, there's *some* magic in login - it has to know to load the PAM
> >modules.
> 
> No, you just link login with -lpam, module loading is automagic once the pam
> api is called - but yes, login et al need to make calls to the pam api.

That's why I still think it would be great to have a generic proxy layer
in-between the authenticator and the front-end APIs so you could add BSD
Auth and PAM and whatever at the front-end. But I would be greatful if
simply both versions of the authenticators were shipped with the current
design.login_bsd, login_pam, su_bsd, su_pam, and so on.