tech-userlevel: Re: Proposals on Authentication

Subject: Re: Proposals on Authentication
To: Simon J. Gerraty <sjg@crufty.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-userlevel
Date: 02/12/2003 16:02:07
On Wed, 12 Feb 2003, Simon J. Gerraty wrote:

> >There are three major components of such a system which I believe
> >can be discussed separately.  Namely:
>
> >	i.   the API/ABI which is presented to the client
> >	     applications needing to authenticate users,
> >	ii.  the internal workings of the system including
> >	     configuration and administration, and
> >	iii. the API/ABI which is presented to the external
> >	     authentication modules.
>
> Sounds reasonable.

Indeed.

> >to complete its job.  Of the aforementioned clients, all of them
> >already support PAM but only some of them support BSD Auth.
>
> >This suggests that no matter what strategy we end up taking that
> >we should actually present a PAM client interface to clients of
>
> Also sounds reasonable.

Good.

> >For now, I propose that we take the following actions:
>
> >	1.   write a PAM client interface which rather than
> >	     loading .so's simply follows the same procedures
> >	     as login(1),
>
> Again, reasonable - assuming that the full API is supported.
> It might be prudent to look at BSD Auth and see if any API extensions
> are needed to meet its capabilities too.  While that might end up
> being counter productive (a variation on a "standard") it
> might be worth considering for those that want to implement a shim to
> utilize BSD Auth.

I agree with this point. Being able to do BSD Auth too is important, and
we should have the hooks for it.

> >	2.   ensure that the interface is ABI compatible with
> >	     LinuxPAM,
>
> Ok, here I get nervous.  One of the common themes from the ``PAM over my
> dead system camp'' has been the quality or lack thereof of Linux PAM.
> >From the API perspective, how does LinuxPAM compare to BSD PAM
> (as used by FreeBSD)?  I'm more familiar with that - since we
> use it at work.  I've not looked at freebsd lately - but I
> know Juniper contributed PAM code to freebsd and so support for
> radius, tacplus, skey, ssh, opie and of course unix should all be there.

So here I'm confused. Is the difference really more than just error
numbers & stuff in headers? i.e. as long as we make one choice and stick
with it, will user code really care?

I'd tend to prefer BSD PAM if it really matters.

Take care,

Bill