current-users: Re: BSD Authentication

Subject: Re: BSD Authentication
To: NetBSD-current Discussion List <current-users@NetBSD.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 09/07/2003 00:18:23
In message <m19vriO-000B6RC@proven.weird.com>, "Greg A. Woods" writes:
>You and I obviously have very different ideas of what "big" and
>"complex" mean w.r.t. core security systems software.  PAM is,
>relatively speaking, HUGE and extremely complex (and that's even if you
>don't count ld.so, which I'm sure you'll admit is a really still a
>fundamental part of PAM).

BSD auth looks pretty big at first, with something like 29 functions in
user-visible namespace.

Hmm.

-rw-rw-r--    1 root     root         8596 1998-01-27 20:49 auth_compat.3
-rw-rw-r--    1 root     root        10944 1999-09-07 23:10 auth_compat.c
-rw-rw-r--    1 root     root        13084 2000-03-30 13:11 auth_subr.3
-rw-rw-r--    1 root     root        23063 2001-10-03 12:29 auth_subr.c
-rw-rw-r--    1 root     root         7937 1998-09-03 15:27 authenticate.3
-rw-rw-r--    1 root     root        11893 2001-10-03 12:29 authenticate.c

That's code and documentation, except for the additional docs that are
in the man page for login.conf - which I suppose probably ought to be counted
too.

However, a lot of the functions are entirely trivial.

	int
	auth_approve(login_cap_t *lc, char *name, char *type)
	{
		return (auth_approval(NULL, lc, name, type));
	}

I don't think that takes a lot of auditing, but it's one of the functions
that appears as part of the "simplified" interface.

I dunno how much code PAM is, but a hair over 45k of code which hasn't needed
to be updated in a long time seems pretty small and fairly stable.  (I don't
currently have access to that CVS tree, so I can't actually tell you whether
there's been recent changes, but I doubt it.)  And, of course, this being
BSD-license code, the copyright notices are fairly big, so the code isn't
as big as it looks.  Including copyright notices, it's 1,930 lines of code.
So, how big is PAM?

As a secondary consideration, there's the level of coupling between PAM
modules and the client program.  PAM modules can do anything they want to
the caller's address space; this means that, even apart from an intentional
attack, that a bug in a PAM module can do things within an otherwise
carefully-audited program.  Each new module introduces that risk all over
again.

-s