Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/21/2003 16:38:20
John Nemeth wrote:
>      There has been much criticism about PAM not being ideal.  However,
> we all know about other solutions that aren't ideal, but which must be
> included if NetBSD is to be considered to be a player in the OS game
> (i.e.  NFS).  PAM is currently used by FreeBSD, HP-UX, most Linux
> systems, and Solaris.  It is also used by many third party apps that
> need to perform authentication.  It is the only standarised way of
> having flexible authentication.  For these reasons, I believe PAM is

The famous saying goes "The problem with standards is there are so
many". It's a standard depending who you ask. If PAM is the only way
of having flexible authentication, then NFS (Network Failure System) 
is also the only way to share files.

How about then, adding a better framework for authentication additional
to PAM (and maybe even standardizing on it, having PAM for
interoperability with other OSes)? Something simpler in design, API and
ease  of use. Who knows, maybe in a few years the NetBSD's framework will
be accepted by others, and will displace the PAM monster. After all,
isn't this what progress is all about?

URLs of interest:

CVM:             http://untroubled.org/cvm/
Checkpassword:   http://cr.yp.to/checkpwd.html
kchuid:          http://www.nimh.org/code/kchuid/

Authentication aside, I think the more difficult issue is the NSS. getp*
functions are bound to the C library. It's far easier to authenticate a
user with a non-PAM method (e.g., SSH which uses a specialized version of
'login') than to either use NSS, or write your own NSS replacement
without doing things such as linking your database library into the C
library. Once a user is authenticated, he's stuck because his UID/GID,
supplementary groups, etc are unknown to the OS without NSS module.