Subject: Re: Re; PAM stinks
To: None <email@example.com>
From: Thomas Michael Wanka <Tom@Wanka.at>
Date: 10/04/2001 10:55:30
this starts to lead to nowhere I guess.
On 3 Oct 2001, at 17:33, Miles Nordin wrote:
> > If you implement such a system, it is up to you to
> > make shure it works with pop/telnet whatever.
> It's up to me to patch my retinal scanner into telnet, pop3d,
> netatalk, and so on. Not up to PAM. okay.
> Here, then, is the question-of-questions for you:
> What is the problem that PAM is meant to solve?
Pams function to what I understand is to provide an interface. A
biometric authentication systems manufacturer does not need to
make some hundreds or more programms to work with his product,
but just provide the necessary interface to pam.
Of course you can say "It is up to me to make my printer print from
<any application>. Not up to ipp, lpr or whatever. okay.".
Just because you do not need it does not automatically result in the
unusefullness for everyone.
Imagine you run someones web server. You need to limit access to
some pages to his customers. He does not want his customers to
be system users. He needs access to his websites statistics that
are passwordprotected. He has a systemaccount. He wants to
access the webstatistics with his systemaccounts username and
password. To me this looks like he needs two sources for
username and password data (systemusers and webusers). He will
need some mechanism to copy his systemdata to his webdata (so
when he changes his password for his systemaccount it is changed
for his webaccount too). I think putting all these data in one mysql
(or even a "real" RDBMS if you like) database and leave the job of
authentication to pam is not a bad way (given that pam works). If
you add other services (pop, imap, ftp and such) using pam can
make the whole thing much less troublesome. Of course it is your
right to do whatever you want, but others might want it the easy