tech-security: Re: BSD auth for NetBSD

Subject: Re: BSD auth for NetBSD
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 09/11/2003 09:49:32

On Thu, 11 Sep 2003, Greg A. Woods wrote:

> [ On Thursday, September 11, 2003 at 00:42:25 (-0400), Todd Vierling wrote: ]
> > Subject: Re: BSD auth for NetBSD
> >
> > If that were the case, with dynamic nsswitch modules, then neither BSD auth
> > nor PAM even need to be in the base system.  (There's already a growing
> > pkgsrc PAM module base, and all you'd need would be a package that glues PAM
> > to the dynamic nsswitch API.)
>
> Nsswitch is not sufficient on its own, dynamic or otherwise.  It still
> leaves us with just a way to pull username/crypted-passwd strings and
> the other associated account information from run-time configurable
> sources.  I.e. it still leaves us stuck with just secret passwords and
> many #ifdefs everywhere for anything and everything else.  I.e. nsswitch
> still needs some way to allow the choice of authentication test to be
> configured at runtime, and that's exactly what BSD Auth does, and only
> what BSD Auth does.  I.e. it fills a currently void niche in NetBSD.
>
> There are also many other good reasons to convert the base NetBSD
> release to use BSD Auth natively by default (in conjunction with keeping
> nsswitch and/or moving to BIND's equivalent).  Those who still think
> they want/need PAM can still glue it in in the way Bill suggests with
> dynamic nsswitch modules.  All of those of us who want BSD Auth want it
> not just because we might need to use some simple authenticator module
> written for BSD Auth, but more because we all want all of the things BSD
> Auth stands for (good clean secure elegant and simple design, for
> example).  All of those things are very good for NetBSD in general and
> for all NetBSD users too, even those still happy with just using good
> old fashioned secret passwords!

Have you not been listening? You're pushing in essence for a winner to get
declared, and for that winner to be BSD Auth. That's not going to fly at
present. BSD Auth will go into the tree much quicker and with much less
fuss after an active effort (not "they can fix it later") to support both
BSD Auth and PAM for nsswitch happens.

Pushing and shoving will only make it less likely to happen.

Take care,

Bill