In message <20030906221953.D20BEA630@zen.crufty.net>, Simon J. Gerraty writes:
>An early proposal was to do a shim API, but that got shot down but the
>"I only want BSD Auth" gallery.

No, it got shot down by the impossibility of any kind of reasonably clean
API which handles both BSD Auth and PAM.

>Another option was do BSD Auth via PAM - also shot down by the 
>"I only want BSD Auth" gallery.  

No, it got shot down by the lack of API compatibility; if I can't compile
a program which uses BSD Auth, then I don't have BSD Auth.

I don't object to PAM existing, or being in the system, but I want to be able
to compile a program which uses BSD Auth and have it work.

I think the "only BSD Auth" gallery is a figment of your imagination.

I think the best solution available to us is:
1.  Implement libbsdauth and libpam.
2.  Build calls for both of them into login/su/xdm/etc.  This is mostly
already done if we're willing to steal code from two different systems.
3.  Optionally, implement a new API which handles the easy cases and
switches between them.

Neither API is a proper subset of the other.

-s