Subject: Re: Re; PAM stinks
To: None <>
From: Thomas Michael Wanka <>
List: netbsd-advocacy
Date: 10/04/2001 10:55:30

this starts to lead to nowhere I guess.

On 3 Oct 2001, at 17:33, Miles Nordin wrote:

> > If you implement such a system, it is up to you to
> > make shure it works with pop/telnet whatever.
> It's up to me to patch my retinal scanner into telnet, pop3d,
> netatalk, and so on.  Not up to PAM.  okay.
> Here, then, is the question-of-questions for you:  
>   What is the problem that PAM is meant to solve?

Pams function to what I understand is to provide an interface. A 
biometric authentication systems manufacturer does not need to 
make some hundreds or more programms to work with his product, 
but just provide the necessary interface to pam. 

Of course you can say "It is up to me to make my printer print from 
<any application>. Not up to ipp, lpr or whatever. okay.". 

Just because you do not need it does not automatically result in the 
unusefullness for everyone.

Imagine you run someones web server. You need to limit access to 
some pages to his customers. He does not want his customers to 
be system users. He needs access to his websites statistics that 
are passwordprotected. He has a systemaccount. He wants to 
access the webstatistics with his systemaccounts username and 
password. To me this looks like he needs two sources for 
username and password data (systemusers and webusers). He will 
need some mechanism to copy his systemdata to his webdata (so 
when he changes his password for his systemaccount it is changed 
for his webaccount too). I think putting all these data in one mysql 
(or even a "real" RDBMS if you like) database and leave the job of 
authentication to pam is not a bad way (given that pam works). If 
you add other services (pop, imap, ftp and such) using pam can 
make the whole thing much less troublesome. Of course it is your 
right to do whatever you want, but others might want it the easy