Subject: Re: BSD Authentication
To: None <email@example.com>
From: Dan Melomedman <firstname.lastname@example.org>
Date: 08/29/2003 13:25:22
Simon J. Gerraty wrote:
> >>No, that's the whole point of PAM. No magic whatsoever in login (or
> >>sshd, ftpd, xdm etc if the sysadmin decides to allow such logins
> This is not strictly true - certainly not in the "template user" case
> I was talking about. sshd, login etc need to explicitly check if
> a template user name was returned. Ie. they check if PAM_USER has changed
> from the value they asked to have authenticated.
> >Okay, I see; so, basically, the idea is that a PAM module doesn't just
> >authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
> >it wants in your address space.
> Not at all - though of course any badly written bit of a shared lib could
> do that.
> >That said, there's *some* magic in login - it has to know to load the PAM
> No, you just link login with -lpam, module loading is automagic once the pam
> api is called - but yes, login et al need to make calls to the pam api.
That's why I still think it would be great to have a generic proxy layer
in-between the authenticator and the front-end APIs so you could add BSD
Auth and PAM and whatever at the front-end. But I would be greatful if
simply both versions of the authenticators were shipped with the current
design.login_bsd, login_pam, su_bsd, su_pam, and so on.