On Mon, Jan 27, 2003 at 03:02:00PM -0500, Dan Melomedman wrote:
> David Maxwell wrote:
> > I don't see the word 'ldap' in there and I don't see the word 'module'
> > in there. I do see the phrase 'PAM implementation'.
> 
> Because I think Greg was referring to my original message which talks about
> number of lines of code in pam-ldap, and comparison to checkpassword and
> BSD Auth modules which perform identical function. Maybe he isn't, but I
> certainly was talking about the amount of code each framework demands.

Threads drift, and not every reader of a message will have read every
earlier message in the thread (nor should they need to).

Framework demands are a worthwhile discussion topic, though, I would
say, only within certain boundaries....

Discussions of 'how hard/easy it is to implement an authentication
module' are not that interesting, for a couple of reasons (IMO).

(1) Far more people will use, than implement, modules - regardless of how
easy it is. (CAD/CAM has made Automotive implementation easier than ever
before - how many people design cars, and how many drive them?)

(2) I don't necessarily see advantages in making it easy for
nieve/incompetent programmers to implement security sensitive portions
of a system, like Authentication. Having a high barrier to entry might
be an advantage.

> > Also, in any case,
> > 
> > There exist large buggy PAM modules != There cannot exist small,
> >                                        bug-free PAM modules.
> 
> I highly doubt this can be true if the NetBSD PAM API will be compatible
> with either of the currently used APIs. An LDAP checkpassword module,
> or an LDAP BSD Auth module are inherently simpler because in either
> frameworks the modules are allowed to be simple (mostly because
> processes are easier than shared libraries).

I would say the opposite - in a security context, getting the process
model right (securely) is hard - because you have do deal with I/O,
uid/gid, access rights, and content parsing, for example, which you
wouldn't have to deal with in a function called in a library.

Making a library might require a slightly more complex Makefile, but
really isn't that much harder than compiling a standalone app.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)