Subject: Re: BSD auth for NetBSD
To: None <tech-security@NetBSD.ORG (NetBSD Security Technical Discussion\>
From: Roland Dowdeswell <>
List: tech-security
Date: 09/13/2003 13:27:31
On 1063472934 seconds since the Beginning of the UNIX epoch
"Greg A. Woods" wrote:

>You might think it's "overboard", but as someone who's seen these things
>come and go I can assure you that having the ability to put common
>wrapper APIs around things that do authentication actually makes
>maintaining the base OS a lot easier.

That is what PAM and BSD Auth are, wrapper APIs around things that
do authentication.  I was suggesting that it is going overboard to
put a wrapper around two wrappers which will surely end up having
the compromises of both systems.

>I don't wish to turn this into a personal attack but your logic really
>does seem to me to border on that of the worst unthinking sale droid.
>Hopefully such market-_focused_ reasoning continues to be lowest and
>least important of all NetBSD's overall goals.

I do not see how wanting to be able to use 3rd party applications
is ``market-_focused_ reasoning''.  Maybe you do not feel that it
is necessary to use anything that is not in basesrc, but many of
the rest of us actually appreciate the fact that NetBSD can compile
and run applications that were written on other UNIX systems.
Being able to do this follows from making a series of decisions
about adhering to standards that are commonly accepted by the UNIX

Do you think that providing POSIX compatibility is ``market-_focused_
reasoning''?  Maybe it is...  But I am quite glad that we have
decided to be `sale droid'-ish on that issue.

>I'm waiting now to see what you might say now that you've hopefully seen
>through the veneer of your "first inspection"!  ;-)
>I'm still stumbling over the idea that we would really ever care whether
>anything third party supports _our_ authentication mechanisms.  Of
>course I may be thinking of different things than you're thinking of.

Greg, when you have provided BSD Auth client level support to all
of the things in pkgsrc that support PAM, e.g. gdm, kdm, xlock,
xscreensaver, and so on, then please by all means tell us how little
you care about 3rd party support for _our_ authentication mechanisms.
I have little desire to do that, and apparently you do not either
since I haven't seen any patches from you providing said support.

One of the big reasons to go with PAM or BSD Auth is to get NetBSD
out of the rather annoying situation that 3rd party applications
do not authenticate in the same way as the base operating system.

>To me it really doesn't matter one hoot if anyone else but NetBSD and
>OpenBSD users write new authenticators for BSD Auth.  Those are so easy
>to write that they really don't need third party support.  All we need
>from third parties are command-line applications or libraries that can
>interface with whatever tools might be used to do

Yes, I probably don't care either.  What I care about is the _clients_
will acutally authenticate in the same way as login(1).

>As for things that make authentication requests, well there's been such
>a cry for a standard API for making authentication requests in certain
>application areas that major third-party software groups have already
>collaborated to create one:  RFC 2222 (SASL).

Uh, SASL and PAM solve entirely different problems.

>So the point I'm trying to make is that worrying over which framework
>has third party support without knowing all the details of how important
>such support might be is pointless.

As I said above: put up the code for all the apps in pkgsrc and
get back to me.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/