Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: Michael Richardson <firstname.lastname@example.org>
From: Oleg Polyanski <email@example.com>
Date: 07/11/2000 13:36:46
Michael Richardson <firstname.lastname@example.org> writes:
> >> You stated that PAM doesn't add any functionality as long as you have
> >> source to the OS. I said it did. It's not the only way to add that
> >> functionality, but that's not the question either.
> Eduardo> PAM requires dynamic linking. Not all ports support dynamic linking. We
> Eduardo> cannot use PAM.
> And on those ports that do support dynamic linking, a lot of us do not
> want to use it. In fact, this is my number 1 reason to install NetBSD/i386
> instead of Linux for a firewall or web server.
When software has `buffer overflow' problem (either stack or heap
overflow) static linking will not help you, it's just another kind of
security through obscurity.
> PAM *requires* dynamic linking. It simply does not support statically
> linking-only on any system that I've seen. I *WANT* to rebuild from source.
> I'd still like it to be as simple as possible, and having external programs
> (a la login.conf) to me is the best way... and one can an external
> authenticator that can load pam modules, so this can be a win-win situation.
> :!mcr!: | Solidum Systems Corporation, http://www.solidum.com
> Michael Richardson | ... somewhere in SFO airport ...
> Personal: email@example.com. PGP key available.
> Corporate: <A HREF="mailto:firstname.lastname@example.org">email@example.com</A>.