current-users: Re: pam dying in upgrade

Subject: Re: pam dying in upgrade
To: Peter Seebach <seebs@plethora.net>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: current-users
Date: 09/20/2005 04:27:14
On Feb 9,  2:50pm, Peter Seebach wrote:
} In message <200509200107.j8K179K9024253@vtn1.victoria.tc.ca>, John Nemeth writes:
} >     Great, so you've covered things that can easily be handled through
} >nsswitch (i.e. /etc/passwd, NIS, Hesiod).  What happens if
} >/etc/nsswitch.conf is missing or a specified nsswitch module is
} >missing?  What happens if there is some new scheme for encrypting
} >passwords and the application doesn't handle it properly?  What happens
} >if you are using Kerberos, S/Key, a smartcard, or something else that
} >can't be handled by a simple getpwnam()?  How does the application
} >decide when to fall back to its internal authentication handler and
} >when to bail?  Why should the developers have to maintain N different
} >authentication systems?  Are you volunteering to do this work?
} 
} My theory is that, since we already HAD functional code for doing the flat
} file lookups, it would seem reasonable to, if we simply can't initialize
} another system, try those as a fallback.

      That would mean writing the fallback code, which admittedly
probably wouldn't be very hard.  It would also mean deciding when to
fallback and what methods to try (i.e. do you just try getpwnam(), or
do you run through kerberos, s/key, etc. as well?).  It would also mean
maintaining that crusty code in perpetuity.  One of the big advantages
of PAM (and BSD Auth) is that you don't have to maintain that crusty
code forever.

} >} The comparatively simple configuration is sort of a plus.  :)
} 
} >     I don't find PAM configuration particularly difficult.
} 
} Simple as opposed to complicated.
} 
} How many files, one or many?  Is it a file in a standard format shared by

     Your choice.  You could just have /etc/pam.conf.  You would get it
by prepending the service name to each line in the individual files in
/etc/pam.d and then concatenating them together.  This is actually the
way that it is in the specification.

} many other standard system files, or a custom file format?

     What "standard format"?  Look through /etc and look at things like
inetd.conf compared to disktab.  In any event, the pam configuration is
the same across pretty much all platforms that support it (although a
number of platforms would only use the single /etc/pam.conf file).
Keep in mind that NetBSD is late to the game, and is one of the last
Unix-like OSes of any significance to adopt PAM.  Some of us have been
using PAM for years on other platforms.  For the most part, unless you
feel like messing with it, you don't even know that it is there.

}-- End of excerpt from Peter Seebach