replace PAM with BSD Auth (was: slow su? [solved])

To: Christos Zoulas <christos%astron.com@localhost>
Subject: replace PAM with BSD Auth (was: slow su? [solved])
From: "Greg A. Woods" <woods%planix.ca@localhost>
Date: Thu, 18 Aug 2011 17:28:02 -0700

At Sat, 13 Aug 2011 21:09:44 +0000 (UTC), christos%astron.com@localhost 
(Christos Zoulas) wrote:
Subject: Re: slow su? [solved]
> 
> In article <20110813184531.GA27925%netbsd.org@localhost>,
> David Holland  <dholland-current%netbsd.org@localhost> wrote:
> > 
> > My opinion remains that PAM ought to go, but that's not trivial...
> 
> And replace it with what?

PAM could be replaced with BSD Auth, as was discussed long ago.

It would not be a trivial job, but it would not a very hard one either,
especially since a working version is available right now for all to see
in OpenBSD.  One could pretty much copy the OpenBSD source files into
place, followed by a review of past changes to the replaced NetBSD
modules to make sure no fixes or features were missed.  OpenBSD doesn't
use nsswitch so there may be some integration work to get nsswitch to
play together nicely with BSD Auth -- I'm not sure about that part.

I'd probably have done all this myself for my own builds if I ever
needed to use an AAA scheme not already supported in the standard
source, but so far all the environments I've ever had to support were
boringly happy to use the basic unix-only stuff -- I haven't even
compiled in the YP support in over half a decade (since the last SunOS-4
machine disappeared from every environment I had to support).

That said I still haven't seen a show of even one hand from anyone who
really needs the ability (or needs to provide their users the ability)
to dynamically modify the AAA schemes in a BINARY-only distribution of
NetBSD, and any vendor creating a binary distribution of NetBSD and who
needs to use a non-standard AAA scheme almost certainly has the
technical skills to integrate it directly into the source.

Another possible reason for using PAM seems to be the suggestion that
NetBSD could potentially use proprietary binary-only PAM modules from
some third-party security vendor, but I've not heard even a rumour of
anyone doing that successfully either.

-- 
                                                Greg A. Woods
                                                Planix, Inc.

<woods%planix.com@localhost>       +1 250 762-7675        http://www.planix.com/

Attachment: pgprNVbpHv304.pgp
Description: PGP signature

Follow-Ups:
- Re: replace PAM with BSD Auth (was: slow su? [solved])
  - From: David Holland

References:
- slow su?
  - From: Ian D. Leroux
- Re: slow su? [solved]
  - From: David Holland
- Re: slow su? [solved]
  - From: Ian D. Leroux
- Re: slow su? [solved]
  - From: David Holland
- Re: slow su? [solved]
  - From: Christos Zoulas

Prev by Date: Re: Building -current under OS X 10.5
Next by Date: Re: Building -current under OS X 10.5
Previous by Thread: Re: slow su? [solved]
Next by Thread: Re: replace PAM with BSD Auth (was: slow su? [solved])
Indexes:

Home | Main Index | Thread Index | Old Index