Subject: Re: PAM stinks
To: None <>
From: Thomas Michael Wanka <>
List: netbsd-advocacy
Date: 10/03/2001 12:17:04

first I did not try to pretend to be a pam expert.

Second, I understood that correct pam will give you the option to 
use several authentication shemes in a way (simplified) that a 
service calls pam for authentication, pam calls the authentication 
method, if this method results in a ok, parameters like username 
and such are passed to the calling service.

All biometric authentication systems I have seen will allow you to 
use passwords as well. If it would not work that way a simple 
failure of hardware would result in an unaccessible system. This is 
not a pam problem. 

For the biometric authentication with pop there are two options, 
either the user has a compatible scanner on the system he tries to 
access from, the datastrem from the scanner will be passed over 
the accessmedium (probably network). If not he can use passwords 
if wanted. 

Basically the biometric authentication systems I have seen work like 
that: (hopefully) unique data from the fingerprint/iris scan are stored 
in a string (compareable to crypted passwords). Some kind of 
database associates the string with a user (and his data like 
homedir etc.). If you implement such a system, it is up to you to 
make shure it works with pop/telnet whatever. 


On 2 Oct 2001, at 19:54, Miles Nordin wrote:

> > The mentioned installation could have used a standard text user-
> > /passwordfile.
> Or, a standard db(3) file, even.
> As for thumbprints,
> Question 1:  How will PAM allow login(1) to use biometrics, say a 
>              retinal scanner, as part of authentication, by changing
>              code in only one place?
> Now that you've answered Question 1, let's move on.
> Question 2:  How will changing code in this one spot allow the retinal
>              scanner to automatically work with POP3?  How about
>              netatalk?
> Question 3:  Okay, maybe I was being overly-ambitious.  But, at least
> you 
>              got the retinal scanner working with login(1), thanks to
>              PAM.  Now, how about, when login(1) is invoked by telnetd
>              instead of getty?
> Like I said, PAM solves an ill-posed problem, and is therefore a
> fundamentally broken architecture.