current-users: Re: PAM

Subject: Re: PAM
To: Dan Melomedman <dan%dan.dan@devonit.com>
From: Jim Wise <jwise@draga.com>
List: current-users
Date: 09/25/2002 16:29:08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 25 Sep 2002, Dan Melomedman wrote:

>Jim Wise wrote:
>> Wow.  You only log into your system using /usr/bin/login?  Cool.
>>
>> Many other people want the ability to compile authentication into a wide
>> range of existing programs.  Can you explain to use how an apache module
>> could use exec chaining for authentication?
>
>I use login as an example, and you know it. Could easily fork

But that's just it -- even the base system includes a wide range of
applications beyond /usr/bin/login which log users in in one way or
another (think ssh, ftp, rsh, telnet for starters), and it is difficult
to see rewriting all of them to fit exec-chaining into their logic.

>/exec an authenticator which would return ok, fail, etc. But why Apache
>anyway? Its modules are already written to use SQL, LDAP, etc. As I
>said, if software already supports a type of external authentication which
>I'd need, I'd gladly use it. If however, a system administrator desires
>to authenticate real system accounts, the picture is very different.
>Authentication is actually the easier part, heck,  I'd write the common
>utility replacemenst myself if I was forced to.

So, to be clear, your opinion is that each third party application which
uses authentication should provide its own custom module interface, and
its own modules for every possible authentication system which might be
used?  Keep in mind that some transactions which can quite happily use
PAM (such as database access or http authentication) are rather
difficult to map to an exec-chaining method...

>If however, there was a _simple_ framework, administrator would only
>write a simple authenticator module. I fail to see how writing PAM modules is
>trivial, whereas with exec chains things really could be trivial for a
>sysadmin.
>
>NSS is a whole different story. changing where getp* finds its information
>is not so straight-forward, same for NSS APIs.
>
>Bottom line - PAM isn't the only way to do it.

Certainly true, but it's a well defined, and already-existing (and
standardized)  way of doing things which a lot of third-party software
we want to provide already supports.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)

iD8DBQE9khyYlGcH240chEIRAi5cAJ9T1iEcBS5knlssjn5gNVc2w3CsigCeKhiw
E2VP24HOLZ/xQeHvIoxGBrM=
=vkp8
-----END PGP SIGNATURE-----