Subject: Re: BSD Authentication
To: Simon J. Gerraty <sjg@crufty.net>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 09/07/2003 01:18:19
[ On Saturday, September 6, 2003 at 15:19:53 (-0700), Simon J. Gerraty wrote: ]
> Subject: Re: BSD Authentication
>
> An early proposal was to do a shim API, but that got shot down but the
> "I only want BSD Auth" gallery.
Isn't nsswitch such a shim? It's incomplete, but really only needs a
"check-auth" function, IIUC.
> Another option was do BSD Auth via PAM - also shot down by the
> "I only want BSD Auth" gallery.
Indeed -- BSD Auth via PAM is right out of the question. The whole
point of something likke BSD Auth is to be able to totally avoid the
likes of PAM while still gaining the ability to implement small,
independent, secure, auditable, authentication tools.
> Another alternative may be to implement BSD Auth and PAM via nsswitch
> but I gather the "I only want BSD Auth" gallery won't like that either
> because they don't like nsswitch...
Actually I think nsswitch is a _very_ fine thing -- so long as it
remains workable in static-only environments, just as it is now.
I had to do some rather ugly moving about of #ifdefs to unmangle some of
the NIS & HESIOD code so that when it was disabled it actually did
disappear for real, and I hope to be able to send-pr those changes soon
(once I get time to test that the result still works with those
facilities enabled again), but other than having a rather baroque and
messy, or at least very poorly documented, internal API for
nsdispatch(3), it's really quite a decent way to make the various
"naming" databases independent of the back-end data store.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>