In message <20000614152157.A8386@noc.untraceable.net>, Andrew Brown writes:
>>BSD Authentication is the BSD/OS authentication system.  Basically, it's
>>a login.conf extension that lets you specify authentication methods per
>>login class.  You then have programs with names like
>>"/usr/libexec/login_passwd" which handle authentication.  "login_passwd"
>>is the "traditional" Unix password scheme.  There's also "login_krb_or_pwd",
>>which tries to do either Kerberos or regular passwords.  So, on my NetBSD
>>box, if I have Kerberos running, I do
>>...

>does this mean that i have to have separate login programs for each
>combination of authentication methods i have available to me?

No.  You can also do
	auth=passwd,kerberos,...
if you want.

>(have i asked this before?  this seems so familiar...)

I don't recall seeing it.  Anyway, BSD/OS ships with

login_activ       login_kerberos    login_radius      login_skey
login_auth        login_krb-or-pwd  login_rchpass     login_snk
login_chpass      login_lchpass     login_reject      login_token
login_crypto      login_passwd      login_rpasswd     

by default.  "rpasswd" is a thing that supports a "remote password" database;
it's used by default for radius, so you can have a radius program use "Unix"
authentication, and use a real hashed database (rather than a big flat file),
with encrypted passwords, and still not have to give radius users accounts.
login_reject is obvious, I think.

It would probably be possible to write login_pam, but no one seems to be
very interested.

I'd be glad to answer technical questions about this within the boundaries
of my knowledge, and as I understand it, there's some support for me asking
the engineer questions about it if it'll help further the cause of having a
decent authentication system in more BSD Unix[*].  :)

-s
[*] UNIX(tm) is a trademark of whoever owns it.  Unix is what Thompson and
Ritchie invented.