Subject: Re: BSD auth for NetBSD
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.org>
From: Alan Barrett <email@example.com>
Date: 09/15/2003 09:59:56
On Sun, 14 Sep 2003, Bill Studenmund wrote:
> I started to look at such a shim API, but have not gotten very far.
I would like to see such a shim, but I am not competent to design it.
What I would like from it is:
* applications that use the PAM API just work;
* applications that use the BSD-Auth API just work;
* both kinds of applications get redirected to some kind of middle
layer that consults a config file to decide what to do;
* the middle layer does whatever magic is necessary to allow an
application that thinks it is using BSD-Auth to really use PAM, and
> It looks like just using PAM and having a BSD Auth using module ship
> in the base system would be the best way to go.
The people who hate dynamic linking would hate this, unless there was a
way to staticly link some subset of PAM. The people who hate PAM might
be pacified if there was a way to say "the only PAM module that is ever
allowed to run is the BSD-Auth-over-PAM proxy, and that must be staticly
--apb (Alan Barrett)