Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: None <>
From: Giles Lean <>
List: tech-userlevel
Date: 07/01/2000 07:39:56
> 	while i was chatting with a bsdi (not freebsd) guy, he showed a big
> 	worry about dynamically-loaded auth module like PAM, for security
> 	issues.  is it not the case?

Increasing complexity is generally frowned upon from the security
point of view.  PAM is more complex than "traditional" authentication
mechanisms such as NetBSD has currently, and the tradeoff is that it
offers new and to some sites useful functionality.

PAM is currently used by HP-UX, Linux, Solaris, and probably more
systems that I don't know about.  I don't think a "big worry" is
necessary for PAM merely on the grounds that it uses dynamically
loaded modules.