Subject: Re: BSD Authentication
To: None <current-users@NetBSD.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 09/08/2003 23:52:14
In message <20030909044428.DECD4690C@void.crufty.net>, "Simon J. Gerraty" write
s:
>>him...rather, ported not coded) within a few days' time. All of the 

>I agree, Peter has been very helpful.  

Amusingly, so far, I haven't actually written a single line of code.
So, if someone else wants something, like help implementing "template users"
under BSD Auth, I'm hereby issuing a coupon for about four hours of work
on any project that will help real people actually *use* this code.

>I don't think there is a PAM only gallery.  I don't think I or anyone
>else has said "no" to BSD Auth.  Just "no, please don't do it in a way
>that precludes doing PAM as well" - then we get Greg trying to
>redefine our needs/wants to show that we don't need/want what we say
>we need/want ;-)  

I think the best we can do, in the real world, is implement both, possibly
with #ifdefs, in login/su/etc.

>Anyway, I think we are finally getting somehere so lets try not snatch
>defeat from the jaws of ...

:)

>>My biggest question is...what's the problem with allowing BSD Auth?

>Nothing.  It would have been very nice to not pepper login et all with
>BSD Auth api calls - just as it would be nice not to peper them with
>PAM calls.  Originally in this thread we were trying to get a handle
>on the feaibility of avoiding that.  Of course there are the
>inevitable side tracks (trying to prove that just by redesigning AFS
>and the rest of the world - there's no need for what we thought we
>wanted) but at this point it sounds like we're suck with peppering
>them (login et al) with calls for both API's - yuck - but if you can't
>avoid it, you can't.

I believe this is correct - I think we've established that the "meta-api"
would be so ugly and warty as to be worse than just having both paths,
and some optional way to select between them.

It might be sufficient to just have some additional login.conf cap entry
which says "use pam" or "use BSD auth".

>For myself, I expect BSD Auth would do just fine - as would PAM.
>I also expect that a login_pam would handle 90% of pam modules, just
>as a pam_bsdauth.so would likely handle 90% of BSD Auth thingies - though
>recently it sounds like there aren't many of those available anyway.
>Not that that matters since it seems a simple shell script can suffice
>in many cases.

Right.

So maybe we should go ahead and put the code in login to switch between
"getpwnam" and "auth_..." calls, based on something in login.conf, and
then when someone has PAM code ready, it goes in the
	} else if (!strcmp(login_type, "pam")) {
		// magic here
	}
section.

We could probably even extend the BSD auth protocol enough to support the
specific cases (AFS, template users) that people have brought up in login_pam,
and maybe someone can do a pam_bsdauth.so; that way, people who want to create
strange hybrids can do so.  If any system is to support such combinations,
I think it should be NetBSD.  :)

-s