Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: Michael Richardson <>
From: Oleg Polyanski <>
List: tech-userlevel
Date: 07/11/2000 13:36:46
Michael Richardson <> writes:

>     >> You stated that PAM doesn't add any functionality as long as you have
>     >> source to the OS. I said it did. It's not the only way to add that
>     >> functionality, but that's not the question either.
>     Eduardo> PAM requires dynamic linking.  Not all ports support dynamic linking.  We
>     Eduardo> cannot use PAM.
>   And on those ports that do support dynamic linking, a lot of us do not
> want to use it. In fact, this is my number 1 reason to install NetBSD/i386
> instead of Linux for a firewall or web server. 

        When  software  has `buffer overflow'  problem (either  stack or heap
        overflow) static linking will not help you, it's just another kind of
        security through obscurity.

>   PAM *requires* dynamic linking. It simply does not support statically
> linking-only on any system that I've seen. I *WANT* to rebuild from source.
>   I'd still like it to be as simple as possible, and having external programs
> (a la login.conf) to me is the best way... and one can an external
> authenticator that can load pam modules, so this can be a win-win situation.
>    :!mcr!:            |  Solidum Systems Corporation,
>    Michael Richardson |      ... somewhere in SFO airport ...
>  Personal: PGP key available.
>  Corporate: <A HREF=""></A>.