Subject: Re: BSD auth for NetBSD
To: Noriyuki Soda <>
From: Bill Studenmund <>
List: tech-security
Date: 09/10/2003 21:10:19
On Tue, 9 Sep 2003, Noriyuki Soda wrote:

> >>>>> On Tue,  9 Sep 2003 06:15:27 +0900 (JST),
> (Jun-ichiro itojun Hagino) said:
> > 	as a firm believer of "rough consensus and running code"
> Well, I don't see that there is rough consensus to import BSD auth
> as the basic layer of authentication, because many people pointed out
> that BSD auth can be implemented over PAM, and PAM can never be
> implemented over BSD auth, and also people who agreed with BSD auth
> couldn't produce any counterevidence.
> I have read Frank's post, but he didn't mention which way we should
> go, AFAICT.

As having been one of the more vocal folks on this in the past, let me
explain the "PAM over BSD Auth" idea, at least as I argued it for a few

1) We don't really want to pick sides. We want admins who want to use
bsd_auth modules to be able to (and to have all of the implied privilege
fracturing), and folks who want to use PAM modules to be able to also.

2) We would like apps using NetBSD's libc to be able to take advantage of
either BSD Auth or PAM via nsswitch. That way the choice doesn't end up
burried in a nest of #ifdef, and you don't have to recompile code to

Note: the above implies that applications won't be configured for PAM or
for BSD Auth, but that the admin could be using either one.

3) (2) really nees dynamic nsswitch modules.

4) PAM is a dynamic module layer, so why not just import PAM and not have
a separate nsswitch module layer? -> Do PAM first, then do BSD Auth on top
of that.

At first we thought we could just use the PAM API as the nsswitch module
API, but I'm not not so sure.

Note: last week I was thinking we would just have to have both, since
unifying would be such a mess. I now thing we will have three classes of
apps: ones written explicitly for BSD Auth, ones written explicitly for
PAM, and ones written for libc/nsswitch.  The NetBSD-shipped apps would be
in the latter category, so that one binary distribution could serve as the
basis for both BSD Auth and PAM using instalations.

The difference is that we don't have to unify the full BSD Auth or PAM
APIs, we just have to have an nsswitch API that would cover what our apps
need and could be satisfied by both PAM and BSD Auth; we don't need to
handle the full case of making one look like the other.

> >	here's the working code for BSD auth for NetBSD.
> Hmmm.
> There is a PAM implementation for NetBSD, too.
> Why don't you commit the PAM implementation instead?
> >	now, may i commit?

I think the concensus is that would be premature. While having a
libbsdauth by itself isn't bad, the next step (login support and friends)
really needs to wait for nsswitch support, which in turn needs a unified
BSD Auth/PAM ABI subset. Otherwise we end up possibly hosing users at an
upgrade point.

Take care,