At Mon, 22 Aug 2011 03:31:17 +0000, David Holland
<dholland-current%netbsd.org@localhost> wrote:
Subject: Re: replace PAM with BSD Auth (was: slow su? [solved])
>
> I don't think the frontend API is half as important to retain as the
> module API.
I'm not sure what you mean by "frontend API" (the interface used by
programs that need to perform A&A tasks?), but the module API, and the
implications of it running in the address space of the caller, is
actually a very big part of the problem with PAM.
That said I've heard tell of people putting wrapper programs around PAM
modules to protect the caller from PAM module bugs, presumably using
some sort of IPC to communicate with the module. If that's possible
then it may also be possible to write a BSD Authentication "script"
which interfaces to PAM modules. I.e. create a "PAM" authentication
style: /usr/libexec/auth/login_pam.
--
Greg A. Woods
Planix, Inc.
<woods%planix.com@localhost> +1 250 762-7675 http://www.planix.com/
Attachment:
pgpbuk4rMJClE.pgp
Description: PGP signature