by redmail.netbsd.org with SMTP; 31 Jan 2000 03:30:07 -0000
	by mail1.panix.com (Postfix) with ESMTP
	id C2EB530EEC; Sun, 30 Jan 2000 22:30:05 -0500 (EST)
Date: Sun, 30 Jan 2000 22:30:05 -0500
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: tech-userlevel@netbsd.org, current-users@netbsd.org,
	tech-security@netbsd.org
Subject: Re: PROPOSAL: making passwd pluggable (sort of)
Message-ID: <20000130223005.A12294@rek.tjls.com>
Reply-To: tls@rek.tjls.com
References: <20000130122641.A8134@xanadu.kublai.com> <5lsnzfwgvw.fsf@assaris.sics.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <5lsnzfwgvw.fsf@assaris.sics.se>; from assar@sics.se on Sun, Jan 30, 2000 at 07:31:31PM +0100

On Sun, Jan 30, 2000 at 07:31:31PM +0100, Assar Westerlund wrote:
> Aidan Cully <aidan@kublai.com> writes:
> > Instead, I'd like to attempt to make passwd more pluggable, by defining
> > an array of passwd-module structures.
> 
> Have you thought about using an existing solution for this problem,
> like PAM?  And if you think that PAM is not a good solution, why not?

I thought about that -- in fact, I decided to do it.  But as a sanity
check, before I wrote the code, I tried _using_ a system with PAM for
a few days.  I was... not pleased... with some of the practical
consequences of the design, which I had not thought through adequately
before that point.  The largest, ugliest one was that you basically can't 
do authentication if you're not willing to expose yourself to dynamic 
loading of arbitrary code based on the contents of a configuration file.

I don't want garbage like that in the critical security path of, for
example, my embedded firewalls.  And I *certainly* don't want to have
to dynamically link things like login or passwd, which would be
required in order to get the necessary dynamic loading on some ports...

-- 
Thor Lancelot Simon	                                      tls@rek.tjls.com
	"And where do all these highways go, now that we are free?"