On Wed, 25 Sep 2002, Dan Melomedman wrote:

>If however, there was a _simple_ framework, administrator would only
>write a simple authenticator module. I fail to see how writing PAM modules is
>trivial, whereas with exec chains things really could be trivial for a
>sysadmin.

Is your objection to PAM that there should be an easy way to write
modules? Because you can do that with PAM; just write the auth system you
are describing as a PAM module!

>NSS is a whole different story. changing where getp* finds its information
>is not so straight-forward, same for NSS APIs.
>
>Bottom line - PAM isn't the only way to do it.

Do you really think we didn't think about that? The decision that we
eventually want some sort of loadable module auth system is one we have
been thinking about for years. A number of developers who now support the
idea (myself included) initially did not like PAM. But after thinking
about all of the different things we want to permit, some sort of loadable
module system is the only one which will do it all.

To disagree with the decision is fine. But your arguements will have much
more traction if they reflect the fact folks DID think about the
alternatives. We aren't coming at this from the perspective of, "Oooooo,
PAM, that's pretty and shiny. Let's do that!"

Take care,

Bill