Subject: Re: PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/25/2002 15:51:56
Jim Wise wrote:
> Wow.  You only log into your system using /usr/bin/login?  Cool.
> 
> Many other people want the ability to compile authentication into a wide
> range of existing programs.  Can you explain to use how an apache module
> could use exec chaining for authentication?

I use login as an example, and you know it. Could easily fork
/exec an authenticator which would return ok, fail, etc. But why Apache
anyway? Its modules are already written to use SQL, LDAP, etc. As I
said, if software already supports a type of external authentication which
I'd need, I'd gladly use it. If however, a system administrator desires
to authenticate real system accounts, the picture is very different.
Authentication is actually the easier part, heck,  I'd write the common
utility replacemenst myself if I was forced to.

If however, there was a _simple_ framework, administrator would only
write a simple authenticator module. I fail to see how writing PAM modules is
trivial, whereas with exec chains things really could be trivial for a
sysadmin.

NSS is a whole different story. changing where getp* finds its information
is not so straight-forward, same for NSS APIs.

Bottom line - PAM isn't the only way to do it.