Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Oleg Polyanski <luke@jetinf.com>
List: tech-userlevel
Date: 07/11/2000 13:36:46
Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
> >> You stated that PAM doesn't add any functionality as long as you have
> >> source to the OS. I said it did. It's not the only way to add that
> >> functionality, but that's not the question either.
>
> Eduardo> PAM requires dynamic linking. Not all ports support dynamic linking. We
> Eduardo> cannot use PAM.
>
> And on those ports that do support dynamic linking, a lot of us do not
> want to use it. In fact, this is my number 1 reason to install NetBSD/i386
> instead of Linux for a firewall or web server.
When software has `buffer overflow' problem (either stack or heap
overflow) static linking will not help you, it's just another kind of
security through obscurity.
> PAM *requires* dynamic linking. It simply does not support statically
> linking-only on any system that I've seen. I *WANT* to rebuild from source.
> I'd still like it to be as simple as possible, and having external programs
> (a la login.conf) to me is the best way... and one can an external
> authenticator that can load pam modules, so this can be a win-win situation.
>
> :!mcr!: | Solidum Systems Corporation, http://www.solidum.com
> Michael Richardson | ... somewhere in SFO airport ...
> Personal: mcr@sandelman.ottawa.on.ca. PGP key available.
> Corporate: <A HREF="mailto:mcr@solidum.com">mcr@solidum.com</A>.