current-users: Re: integrating PAM

Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: David Maxwell <david@vex.net>
List: current-users
Date: 01/23/2003 22:54:49
On Thu, Jan 23, 2003 at 08:58:56PM -0500, Dan Melomedman wrote:
> > > Ken Hornstein wrote:
> > > > "Religious" in this sense means, "Having nothing to do with reason".
> > > > (E.g., I have yet to see a coherent reason why having PAM in the OS
> > > > could ever harm you, unless you went out of your way to hose it up).
> > Reread your sentence again. You aren't reasoning that PAM is bad (or good)
> > for this or that reason, you are saying you don't like PAM. That's a
> > religeous reason.
> 
> Right, let's just pretend I never wrote why I don't like PAM.

I'd like to, but your messages keep filling my inbox, so...

> I've stated many times  about its unneeded complexity,

Your comments on that topic appear to have been regarding any particular
_implementation_ of PAM, rather than the API.

Since NetBSD doesn't yet have a PAM implementation, it's not a valid
criticism against providing a PAM api.

> about how easier it is
> to write and debug BSD Auth modules than it is to write PAM modules due to the
> API,

That's not very significant, since far fewer people will write
authenticaion modules than will use them.

Additionally, supporting the PAM API allows people (or the project) to
choose from many existing module implementations, meaning that with PAM,
the authentication you want may already exist, so no one needs to write
anything new.

> and you can read even more if you look at the August thread. Also,
> if you take a look at other frameworks such as checkpassword or CVM,
> they have similar advantages over PAM.

They don't have the advantage of the existing module implementations.

That alone isn't a winning argument, it's only one to be weighed with
the rest, but nothing you've said invalidates it.

> In addition, take a look at
> the pam_ldap module, its security history, and number of lines of code
> for instance.

OpenSSH has had lots of bugs != the ssh protocol is bad.

There exist buggy PAM modules != PAM is bad.

If you'd like to end up with a system in which you can avoid compiling
in the not-yet-written and likely high-quality-NetBSD-implementation of
PAM, then I suggest that you try to develop list of those functions that
may be required by any auth system. You can then propose that PAM be
implemented as a thin layer on top, and BSD-auth (or whatever) as
another thin layer.

You won't likely get much traction on even that though, if you're
complaining, but not looking like you're willing to contribute any
actual code towards solving the problem.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
All this stuff in twice the space would only look half as bad!
					      - me