Subject: Re: BSD Authentication
To: Peter Seebach <seebs@plethora.net>
From: Simon J. Gerraty <sjg@crufty.net>
List: current-users
Date: 09/07/2003 00:41:14
>I dunno how much code PAM is, but a hair over 45k of code which hasn't needed
>to be updated in a long time seems pretty small and fairly stable.  (I don't
>currently have access to that CVS tree, so I can't actually tell you whether
>there's been recent changes, but I doubt it.)  And, of course, this being
>BSD-license code, the copyright notices are fairly big, so the code isn't
>as big as it looks.  Including copyright notices, it's 1,930 lines of code.
>So, how big is PAM?

About 4300 lines for the library plus 470 lines for the radius module
for example.

>the caller's address space; this means that, even apart from an intentional
>attack, that a bug in a PAM module can do things within an otherwise
>carefully-audited program.  Each new module introduces that risk all over

For sure, but most folk will use only one or two modules.
We use radius, tacplus, and unix and that's been the case
for years.  So PAM is twice as big (or more), but no less stable.
I dare say if BSD Auth had existed 6 years ago (or we'd known about it)
we might be using that...

--sjg