Subject: Re: Philosophy of PAM and rc.d
To: None <seebs@plethora.net>
From: Dustin Sallings <dustin@spy.net>
List: current-users
Date: 03/18/1999 10:29:27
On Thu, 18 Mar 1999 seebs@plethora.net wrote:
# I don't know. On the other hand, it's a very easy thing to add, and
# it's not like we're targeting a lot of things we don't have source for.
Right, but the problem is that it's too much trouble for me to
modify every application to do *my* authentication when I could modify a
different part of the system and be done.
# That's not very NetBSD. Traditionally, the NetBSD answer has been to
# evaluate the proposed solutions on technical merit, and choose the best.
# I think BSD Auth is a better design, but I haven't got enough experience
# with PAM to make a very good judgement. The login class support is part
# of the BSD Auth design; I'm not sure whether that's a good thing for
# everyone, but I sure like it.
I agree, they should both be evaluated on technical merit.
However, technical merit isn't the only thing to consider. There's no
point in doing it at all if the gain will be small, which I believe it
would be for BSD auth. As far as technical merit goes, I believe that
forking off an external process to do the authentication is a great
disadvantage. Case in point: I've seen a database application written in
perl using around 150MB of RAM. The programming was not aware of the
unlink command, so decided to remove a lockfile by doing `rm
/tmp/mylockfile` Suddenly, the process was demanding 300MB of RAM, and
the system couldn't provide it. What happens when my large database
application needs to authenticate?
# Essentially, if we want that feature, we're stuck altering a lot of
# software anyway. :(
Look at the numbers, though. The primary places I need this are
my mail server, ssh, xdm, xscreensaver, login, and Apache. The only one
of these that doesn't understand PAM is login. I don't know that any of
them support BSD auth. That means that the only things that would need to
be altered are telnet, ftp, login, maybe a couple others.
--
SA, beyond.com My girlfriend asked me which one I like better.
pub 1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
| Key fingerprint = 87 02 57 08 02 D0 DA D6 C8 0F 3E 65 51 98 D8 BE
L_______________________ I hope the answer won't upset her. ____________