why is PAM only default-enabled for NetBSD in security/openssh?

To: tech-pkg%netbsd.org@localhost, Havard Eidnes <he%netbsd.org@localhost>
Subject: why is PAM only default-enabled for NetBSD in security/openssh?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Mon, 06 Nov 2023 08:56:10 -0500

This was added in 2017.

My impression is that PAM is implemented on many systems and is
certainly not a NetBSD-only feature.   There is support to build it on
other systems, it seems, and even code for linux to set PLIST.pam.

According to bulktracker, ecurity/openpam builds on at least:

  CentOS
  Darwin
  NetBSD (but builtin is used)
  Rocky Linux
  SmartOS

So my questions are:

  Does openpam on other systems find the system pam, and does the
  resulting build then use the system pam config?

  Why isn't the pam option just enabled?  Is the point that choosing to
  run PAM is an odd choice, and thus it's enabled only on systems that
  have a pam setup by default?

  Adding the example config is done only on Linux.  This doesn't make
  sense.  NetBSD has an /etc/pam.d/sshd in base, so I can see "don't
  install it on NetBSD".  But on the other hand, it's an example, and it
  might be different.

So I would think we should probably:

  enable pam by default, and disable it individually if any platforms
  are known to be problematic

  whenever pam is active, install the example file (as an example)


Am I missing something?

Follow-Ups:
- Re: why is PAM only default-enabled for NetBSD in security/openssh?
  - From: Havard Eidnes

Prev by Date: Re: finding isnan
Next by Date: Re: why is PAM only default-enabled for NetBSD in security/openssh?
Previous by Thread: finding isnan
Next by Thread: Re: why is PAM only default-enabled for NetBSD in security/openssh?
Indexes:

Home | Main Index | Thread Index | Old Index