Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: replace PAM with BSD Auth (was: slow su? [solved])

At Mon, 22 Aug 2011 03:31:17 +0000, David Holland 
<> wrote:
Subject: Re: replace PAM with BSD Auth (was: slow su? [solved])
> I don't think the frontend API is half as important to retain as the
> module API.

I'm not sure what you mean by "frontend API" (the interface used by
programs that need to perform A&A tasks?), but the module API, and the
implications of it running in the address space of the caller, is
actually a very big part of the problem with PAM.

That said I've heard tell of people putting wrapper programs around PAM
modules to protect the caller from PAM module bugs, presumably using
some sort of IPC to communicate with the module.  If that's possible
then it may also be possible to write a BSD Authentication "script"
which interfaces to PAM modules.  I.e. create a "PAM" authentication
style:  /usr/libexec/auth/login_pam.

                                                Greg A. Woods
                                                Planix, Inc.

<>       +1 250 762-7675

Attachment: pgpbuk4rMJClE.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index