[ On Monday, November 29, 2004 at 15:29:59 (+0100), Pavel Cahyna wrote: ]
> Subject: Re: Centralized User and Password Management
>
> Say there is a screen-locking program like xlock or xscreensaver,
> which requires a password to unlock the screen. Isn't pam_krb5 the right
> way in this situation to ensure that this password is consistent with the
> password used to login?

No, not at all.

PAM is just one possible answer to the problem of accessing the "shadow"
password (i.e. /etc/spwd.db on NetBSD) so that the user's system
password can be used by a non-privileged application such as xlock,
though I forget exactly how the PAM advocates claim it is supposed to be
secure.  :-)  (PAM does have other claimed benefits of course but none of
them are really relevant to your example.)

Cyrus SASL's "saslauthd -a getpwent" is another, better and far more
secure, way to do the same thing; and the BSD/OS authentication
architecture that's often been discussed in NetBSD cirles is yet an even
better way.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>