Subject: Re: PAM stinks
To: None <email@example.com>
From: Miles Nordin <carton@Ivy.NET>
Date: 10/03/2001 21:14:09
begin firstname.lastname@example.org quotation.
> > What is the problem that PAM is meant to solve?
> when given a (login,password) tuple, verify that the login and password
see getpwnam(3) and nsswitch.conf(5), an architecture which exists on the
same systems that purport to need PAM, and already accomplishes the purpose
The one thing PAM adds over nsswitch is the ability to swap out password
ciphers as well. But, even this doesn't go very far. If you want S/Key
to work with both login(1) and xdm(1), PAM's ``abstraction'' becomes a
nuissance rather than an aid.
You do not need the PAM architecture to shadow passwords, put passwords
in a db(3) database, use NIS or Hesiod, or add new code to store the
user database in a SQL backend. libc can do all these things.
so, once again, What is PAM for?
> PAM simply saves having to touch n-squared server-side programs
again, so does putting nameservice routines in libc. but, why n^2 rather
> your MVS sounding RACF-like scheme cannot solve those exact same issues
I never said it could. I only said it was a very naive and
quickly-constructed architecture that is much better than PAM, and that
one of the biggest advantages of my architecture over PAM is that its
limitations are obvious.
What can PAM do that my architecture can't? It takes a little while to
convince yourself that the answer is ``nothing''. That little while
you spend convincing yourself is the main reason my architecture is
better than PAM.
Using neither PAM nor my architecture accomplishes the same thing, once
you understand that PAM is absent because it's useless and not because
no one has bothered to add it. People continue to get confused about
this last point.
> No single layer of abstraction can [...] That doesn't make a layer
> [...] bad or useless or dumb.
It is a strawman argument only if you complete the enthymeme, ``Only
architectures which can X, Y, and Z are Good. Therefore, PAM which
cannot do these things is Bad.'' That was not the completion I intended.
I suspect that _nothing_ can X, Y, and Z, which is why I said, ``flawed
Layers of abstraction with no clear purpose or problem-statement do more
harm than good. They confuse people, which is bad because those same
people go off to design other foolish architectures. They also waste
time for people who just want to get stuff done.
My point was not merely that PAM can't do a lot of things that need to be
done. Rather, the _existence_ of PAM makes people think it can do things
that it can't do---if PAM can't make adding a biometric scanner easier,
then why would anyone use it? so, surely it must do that. It doesn't.
You are burdened not only with showing that PAM can Do Things. Of course
it can. To show that PAM is Good, you must show that it's easier to Do
Things with PAM than without. I don't think you can show this. To show
that PAM belongs in NetBSD, you must even further show that PAM is a
``reasonably sane'' way of Doing Things. I'm absolutely positive you
can't show _that._