Subject: Re: PAM stinks
To: None <netbsd-advocacy@netbsd.org>
From: Thomas Michael Wanka <Tom@Wanka.at>
List: netbsd-advocacy
Date: 10/03/2001 12:17:04
Hi,
first I did not try to pretend to be a pam expert.
Second, I understood that correct pam will give you the option to
use several authentication shemes in a way (simplified) that a
service calls pam for authentication, pam calls the authentication
method, if this method results in a ok, parameters like username
and such are passed to the calling service.
All biometric authentication systems I have seen will allow you to
use passwords as well. If it would not work that way a simple
failure of hardware would result in an unaccessible system. This is
not a pam problem.
For the biometric authentication with pop there are two options,
either the user has a compatible scanner on the system he tries to
access from, the datastrem from the scanner will be passed over
the accessmedium (probably network). If not he can use passwords
if wanted.
Basically the biometric authentication systems I have seen work like
that: (hopefully) unique data from the fingerprint/iris scan are stored
in a string (compareable to crypted passwords). Some kind of
database associates the string with a user (and his data like
homedir etc.). If you implement such a system, it is up to you to
make shure it works with pop/telnet whatever.
mike
On 2 Oct 2001, at 19:54, Miles Nordin wrote:
> > The mentioned installation could have used a standard text user-
> > /passwordfile.
>
> Or, a standard db(3) file, even.
>
> As for thumbprints,
>
> Question 1: How will PAM allow login(1) to use biometrics, say a
> retinal scanner, as part of authentication, by changing
> code in only one place?
>
> Now that you've answered Question 1, let's move on.
>
> Question 2: How will changing code in this one spot allow the retinal
>
> scanner to automatically work with POP3? How about
> netatalk?
>
> Question 3: Okay, maybe I was being overly-ambitious. But, at least
> you
> got the retinal scanner working with login(1), thanks to
> PAM. Now, how about, when login(1) is invoked by telnetd
> instead of getty?
>
> Like I said, PAM solves an ill-posed problem, and is therefore a
> fundamentally broken architecture.
>
>