tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: BSD Auth
On 18-Aug-08, at 7:50 AM, markucz%gmail.com@localhost wrote:
Straight to the point: is there a way to use BSD Auth with NetBSD?
One can try porting the BSD Auth code from OpenBSD. I have not yet
tried that myself.
In 4.0 one
can't do without PAM.
Perhaps not without building yourself from source. :-)
However I seem to be doing fine without PAM in my netbsd-4 systems.
I use the following settings in my mk.conf (plus there should be some
changes to some makefiles and to the sets lists, but I haven't got
around to them yet):
MKPAM = no
USE_PAM = no
I've lived happily without it so far. I don't mind
having it in base, I'm just curious whether it's possible to replace
its
functionality by BSD Auth. I managed to find some code written in
2003 [1],
and now I'm examining it to see what can be done with it and if it
can be
somehow integrated alongside with PAM.
I'm not sure it would make sense to have them integrated together into
the same system. In my estimation they can't really both be there in
the same build (certainly not for anyone who wants the full and
guaranteed privilege separation offered by BSD Auth), and with a
compile-time option the non-default one is sure to bitrot. Previous
discussions resulted in nothing really and PAM was blasted into the
tree without taking into account any technical considerations. Lame
excuses were given that somehow BSD Auth could be implemented as a PAM
module after PAM was fully integrated, but of course that blows one of
the main benefits of BSD Auth right out of the picture (true
guaranteed privilege separation).
Personally I think since OpenPAM is already well supported as a stand-
alone project it should be they who provide an optional patch to apply
to NetBSD for those system integrators who wish to offer PAM instead
of BSD Auth. :-)
--
Greg A. Woods; Planix, Inc.
<woods%planix.ca@localhost>
Home |
Main Index |
Thread Index |
Old Index