Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: replace PAM with BSD Auth (was: slow su? [solved])

At Mon, 22 Aug 2011 02:27:14 +0000, David Holland 
<> wrote:
Subject: Re: replace PAM with BSD Auth (was: slow su? [solved])
> There are some PAM modules
> in pkgsrc, for example, and other third-party ones that aren't but
> that someone probably uses.

So?  "probably" doesn't count -- a show of hands "counts"!

Then once we know what modules they are and how important they are to
those who do use them, then maybe we will know whether it's worth the
effort of writing a login_*(8) "script" to replace them or not (if there
isn't one already in existence).

> Also, as far as I know bsdauth doesn't fix the fundamental structural
> problem that login should be *unprivileged* until a login occurs...

That's not a problem that can be solved at all, at least not on a
Unix-like system using set-UID, and outside of the kernel, at least not
so far as I've been able to figure out in over a decade of thinking
about it off and on.  The superuser must start the chain of command.

If you can figure out how to solve that problem then BSD Auth will only
help by providing a tried and true method of privilege separation for
the authentication and authorization parts of the picture -- something
PAM cannot ever do in its current form.

The one thing BSD Auth doesn't do is to provide a similarly simple and
elegant IPC-based method for nsswitch to also query the same interface
that was used to provide the initial A&A information.

At least NetBSD has nsswitch already in place so this wouldn't be very
difficult to implement.  In fact I've already been thinking about it.

                                                Greg A. Woods
                                                Planix, Inc.

<>       +1 250 762-7675

Attachment: pgpye7w9acDGm.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index