> PAM is similar, but doesn't require communication with a server (or
 > "middleman server", in the case of things like YP or SQL or radius).  The
 > code is run in the space of the process doing authentication, via a shlib.

PAM has other problems though as a consequence. You'll find, for
instance, that the process that opens the PAM session has to stick
around to close it, because otherwise the shared library data segments
holding the state go away. This interacts badly with, say, init/getty/
login. In RedHat 4.0 login forked your shell instead of execing it;
needless to say this broke a lot of stuff... 

PAM is a good idea, but from what I've seen the actual design isn't so
hot.

-- 
   - David A. Holland             | (please continue to send non-list mail to
     dholland@cs.utoronto.ca      | dholland@hcs.harvard.edu. yes, I moved.)